Palo Alto - High Availability Setup

Reference Sheet
Palo Alto Configuration
DAM POND (Dashboard, ACC, Monitor, Policy, Objects, Network, Device)

Active/Passive or Active/Active

Control HA1

control plane Traffic

Hellos/Heart Beats

HA state Information

Routing Table Sync

User-ID sync

Data Link (HA2)

Data Plane Traffic

Synchronises Sessions

Synchronises forwarding tables

Synchronises IPSec SA's

Share ARP information

Detect Failures

----------------

Firewall Failure

Ulink Failure

Path Failure

Admin creats a failure

Heart beats (ping send over control link

send once every second

losing 2 in a row means the partner is dead

Internal Health Checks may also trigger a failover

HA Configuration

Configuring High Availability (HA) on a Palo Alto Networks firewall via the Command Line Interface (CLI) involves several steps to set up the HA group, interfaces, and synchronization options.

1. Access the CLI and Enter Configuration Mode:

Connect to the firewall via SSH or console and log in. Then, enter configuration mode:

2. Configure HA General Settings:

Set the HA group ID, enable HA, and specify the mode (Active-Passive or Active-Active).

3. Configure HA Interfaces (HA1 and HA1 Backup):

Configure the interfaces designated for HA communication (HA1 for control link and HA1 Backup for redundancy). This typically involves setting the interface type to HA, assigning IP addresses, and specifying the peer's HA1 IP.

4. Enable Configuration and State Synchronization:

Enable synchronization of configuration and session state between the HA peers.

5. Configure HA Timers and Election Options (Optional):

Adjust HA timers and election options like preemption if needed.

6. Commit the Configuration:

Save the changes to the running configuration.

7. Repeat on the Peer Firewall:

Perform similar configurations on the peer firewall, ensuring the group id, mode, and peer IP addresses are correctly configured to establish the HA relationship. The device priority may need to be set differently if using Active-Active HA or if you want to explicitly define the primary in Active-Passive.

Sample Configuration

set deviceconfig high-availability group id 10

set deviceconfig high-availability group enabled yes

set deviceconfig high-availability group mode active-passive

set network interface ethernet ethernet1/1 layer3 ip <ip-address>/<mask>

set network interface ethernet ethernet1/1 layer3 interface-type ha

set deviceconfig high-availability interface ha1 port ethernet1/1 peer-ip-address <peer-ip-address>

set deviceconfig high-availability interface ha1-backup port ethernet1/2 peer-ip-address <peer-ip-address>

Replace ethernet1/1 and ethernet1/2 with your actual interface names, and <ip-address>, <mask>, and <peer-ip-address> with the appropriate values.

set deviceconfig high-availability group configuration-synchronization enabled yes

set deviceconfig high-availability group state-synchronization enabled yes

set deviceconfig high-availability group election-option preemptive yes

set deviceconfig high-availability group timers advanced heartbeat interval <value>

commit

Note: For Active-Active HA, additional configuration for Device ID and potentially data links (HA2) is required. Ensure that the HA interfaces are correctly connected and network connectivity exists between the HA1 interfaces of both firewalls.