Failover Topology

M.Gill298701 — Thu, 13 Feb 2025 10:53:20 GMT

I'm configuring a pair of PA460 for the first time in SCM and a little lost at how I'm meant to do the HA.

I can only do active/passive but my question is more aimed at how I configure the interfaces for the LAN/zones on the two PAs.

Do I configure the interfaces exactly the same on both boxes e.g. IP identical and then the standby just takes over?

Usually firewall vendors will have some sort of FHRP functionality or virtual IP service, but Palo doesn't seem to support either of these hence why I'm a little lost.

Just to clarify: the actual HA config I'm good with, configured a HA1 and HA2 interface and its working as expected. This is purely about the LAN interfaces dealing with traffic

Re: Failover Topology

TomYoung — Thu, 13 Feb 2025 18:13:58 GMT

Hi @M.Gill298701 ,

Yes, the configuration is exactly the same, and in the event of failover the passive then becomes active.

With active/passive HA, the configuration is exactly the same between both FWs except for a few device configurations listed here. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/reference-ha-synchronization

For standalone, you configure one FW and the config is synced. For Panorama, you put the HA pair in the same template (and device group). With SCM, it looks like you put them in the same parent folder and modify that configuration scope. If you configure HA in that scope, you will need to use variables as the HA links must have different IP addresses. https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-configurations-in-strata-cloud-manager-scm-with-ngfw/td-p/616341

Thanks,

Tom

topic Re: Failover Topology in Strata Cloud Manager

Failover Topology

Re: Failover Topology