topic Re: How to configure passive HA Panorama ethernet interface in Panorama Discussions

How to configure passive HA Panorama ethernet interface

KNau — Thu, 19 May 2022 11:10:30 GMT

We are currently deploying two Panorama M-series appliances with active/passive configuration. The expected interface configuration will be like this:

Active/Primary Panorama:

Management: 172.20.1.11 (only for Panorama management access)

ethernet1/1: 10.20.5.100 (for device management, log collection, etc.) > devices will be connected to this interface

Passive/Secondary Panorama:

Management: 172.20.1.12

ethernet1/1: 10.20.5.100 (if possible to use same IP as primary) OR 10.20.5.101 (if different IP is required)

The issue is the ethernet1/1 options on the passive Panorama are greyed out and we cannot configure anything on it.

My question is, is it possible to configure ethernet interface on an M-series Panorama in passive HA configuration? If possible, then how is the behavior of the ethernet interface:

1. The secondary Panorama ethernet1/1 interface will be disabled due to passive mode, and automatically enabled when the appliance becomes active mode (just like HA on firewalls)

2. The secondary Panorama ethernet1/1 interface is enabled all the time regardless of active/passive mode (in this case we will use different eth1/1 IP on primary and secondary to prevent IP conflict)

3. Primary and secondary Panorama ethernet interfaces configuration are synced between each other.

Thank you.

Model: Panorama M-600 (x2)

SW version: 10.1.4-h4

Re: How to configure passive HA Panorama ethernet interface

PavelK — Tue, 24 May 2022 21:44:53 GMT

Thank you for the post @KNau

I do not have this exact same setup in my environment, however by looking into documentation, you should make these changes from active Panorama. Please refer to this document, STEP 3 >> (HA only) Configure the interfaces on the passive Panorama management server.:

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-m-series-appliance/configure-panorama-to-use-multiple-interfaces/configure-panorama-for-network-segmentation

I think selecting the checkbox: Device Management and Device Log Collection is what you need to meet your requirement.

The reason why you can't make this change on Panorama passive node is feature limitation. Only Device Deployment is supported. Options to enable Device Management and Device Log Collection and Collector Group Communication are therefore gray out.

Regarding the IP address you configure on interface 1/1, you should use different IP address than what you configured for interface 1/1 on Panorama active node. From 3 options you mentioned, the option 2 is from my point of view correct answer.

After you make these changes, do not forget to commit it to Panorama and push the changes to log collector group.

Kind Regards

Pavel

Re: How to configure passive HA Panorama ethernet interface

KNau — Fri, 24 Jun 2022 02:08:50 GMT

Thank you for answering and sorry for the late response @PavelK

I have tried the second method on the production Panorama (by applying different IP on secondary Panorama) and it worked successfully, and now I could deploy the firewalls that connects to both active and passive Panorama.

Thank you!