topic Re: PA 445 setup in Next-Generation Firewall Discussions

PA 445 setup

weezy — Wed, 22 Apr 2026 08:18:11 GMT

So i''m setting up a new site on our JAPAN site.

I setup 2 PA 445 A/P. Both FW are setup and HA's are connected as well.

The problem is the HA are not synch yet, the primary PA 445 is accessible remotely via both public ISP 1 and ISP2 HTTPS.

The reason is i'm not moving yet the private MGMT IP under permitted list on interface MGMT for WAN and I have not yet moving the cable from MGMT port of PA 445 to our CORE SW yet. We wanted to finish configuring the FW first before moving the private MGMT IP to Permitted List.

So now here is our setup

2 PA 445 and 2 Core SW , THE PA 445 will act as a L3 and all the SVI are configured there. While we are doing L2 on CORE SW.

Can you help me, how can I synch the HA configs like AV/WILDFIRE/GP of the Primary palo alto to secondary palo alto 445 while the primary 445 is the only accessible on both ISP 1 and ISP 2 remotely via HTTPS?

I'm thinking removing the config of ISP1 interface on PALO ALTO 445 primary then use the secondary ISP as the ISP of SECONDARY PA445? I'm thinking as well that removing the HA cables? But I noticed earlier I did that I configured the ISP 2 on Secondary FW 445 because it ISP 2 is not yet configured to the PRI 445, I configured as well the service routes for DNS and updates.paloaltonetworks.com and I tried to ping 8.8.8.8 on google CLI and I was not able to ping and I cannot even access the SEC PA 445 via https. So I gave up and I configured the ISP 2 on PA PRI and I created NAT, VR2 and after that I can access the PRI FW on both ISP and ISP 2 remotely.

The only thing i'm seeing is that moving the PRIVATE MGMT IP to the permitted list then connect the cables of PA PRI and PA SEC MGMT ports going to CORE SW 1 and 2, then access the FW via VPN accessing it using its own private IP?

Because we have a tunnel from PA445 PRI going to our equinix where we advertised /x and equinix is used for remote MGMT. Actually our CORE SW is accessible on our VPN as soon as I added the tunnel going to equinix.

Please let me know your suggestions and I really need your help. This 445 gives me so much problems as it has so many issues.

Please let me know if anyone encountered this.

Re: PA 445 setup

weezy — Fri, 24 Apr 2026 02:16:27 GMT

Any one can help me?

Re: PA 445 setup

BPry — Fri, 24 Apr 2026 16:23:14 GMT

@weezy,

I'm confused on why you wouldn't setup the firewall fully before transporting it to the remote site, or leaving the remote site before fully configuring everything? You're going to want to hook up the MGMT ports and get them accessible across your VPN so that you can properly manage them.

I would assume that you either didn't ever install the dynamic updates on the passive device, or that you do not have the 'Sync To Peer' box checked on your update schedule so the primary is never transferring and with the secondary presumably using a service route without a MGMT connection it's never going to stay in sync.

Re: PA 445 setup

weezy — Mon, 27 Apr 2026 03:07:47 GMT

Hi @BPry ,

This PA 445 are just ordered and delivered on japan site.The company is just acquired by our company. They wanted to setup PA 445 there and move into our network.

1. The primary FW is accessible on both ISP 1 and IPS 2 public IP. The service route is pointed to ISP 1 ETH 1/1 for DNS and updates. paloaltonetworks.com

2. If the primary fails the secondary PA 445 will take over immediately and will be accessible via ISP 1 and ISP 2.

3. the Synch to Peer box was check. I did try to synch updates on BOTH PRI AND SEC and it didn't work. DLP and others are mismatch even though I update the same version.

4. On secondary PA 445 I did configured the Service route pointing to ETH 2 for DNS and updates.paloaltonetworks.com and I tried to download the updates and I cannot pint the google. Possible is because of the primary it still sees the ETH1/1 and not ETH1/2 for updates.

Here is what I'm thinking.

1. Delete the secondary ISP configuration on PA 445 PRI then disconnect the HA then update the wilffire/av/gp/dl pulgin on secondary PA445 and make it accessible remotely via https using secondary public ISP ,while the primary is accessible via ISP 1.

2. Add the MGMT IP of both FW to permitted list then configure the service route to MGMT interface then connect the MGMT ports to our core switch and make both FW's accessible remotely using their private IP on our VPN. Then once they are there I can update them both at the same time using our private MGMT IP's.

Also, the our upper mgmt just ordered the FW and send it to this new site, without having us configured it first. But wait, i'm working remotely and the site is on japan and the mgmt won't do shipping the FW here on our location. It will be expensive. Also, this is what we did on our previous sites.

@BPry let me know your thoughts on this.

Regards,

Re: PA 445 setup

weezy — Tue, 28 Apr 2026 05:43:35 GMT

@BPry also, the sync to peer are enabled.