topic Re: HA Active/Passive Management Design in General Topics

HA Active/Passive Management Design

cmateam — Thu, 03 May 2012 21:40:34 GMT

I am testing out and setting up two PA-2020 in a HA Active/Passive setup for eventual use in our production network. I am testing this outside of our current network infrastructure to ensure I understand the complete setup processes. I had a couple design questions regarding this setup.

As of now I have two zones, WAN and LAN enabled on both firewalls. I’ve enabled two ports for HA on both firewalls and have connected them with crossover cables. Both WAN cables are running into a switch, and both LAN cables are running into another switch. I’ve been able to get HA working, but had a question about how to manage both PAN FWs separately, since the interfaces on one is inactive in the passive state. Currently both management ports are set to the default IP and subnet, but I was wondering if I can assign the management port in the same subnet as the LAN network to manage the firewalls independently. In order to suspend firewalls for PAN OS upgrades can I manage both firewalls at the same time in this manner?

I’m a little bit new to firewalls, and even newer to PANs and wanted to make sure I understood the setup behind this. Thanks for all your help.

Any other thoughts or tips would be awesome, too! Thanks!

Re: HA Active/Passive Management Design

zarina — Fri, 04 May 2012 00:11:46 GMT

The interfaces on the passive device will be inactive. You can manage both the active and the passive box through the management ports which remain active irrespective of the HA state. You will still have access to both the boxes during upgrade if you use management ports.

There is a specific procedure to be followed during upgrade to ensure minimal downtime. These document walks you through the process:

The procedure is the same irrespective of the PANOS to which you want to upgrade from/to.

Re: HA Active/Passive Management Design

rmonvon — Fri, 04 May 2012 04:33:40 GMT

Also, if you're deploying the PAN firewalls in L3 mode, the passive LAN & WAN interfaces can be set to auto and these interfaces on the passive PAN can be in an up state.

Re: HA Active/Passive Management Design

cmateam — Fri, 04 May 2012 14:13:01 GMT

Per my original question, can the management ports be subnetted to my LAN zone with an IP address that I can access from the LAN zone - instead of having to walk into my Data Center with two laptops to manage the firewalls. This will also be particularly important as I will need to manage two additional firewalls at a second location via a IPSec tunnel.

Re: HA Active/Passive Management Design

rmonvon — Fri, 04 May 2012 15:17:52 GMT

Yes there is a dedicated mgt port on each PAN firewall and you can assign a LAN's IP address to the mgt port. Each firewall should be given a different IP address for its mgt port. Thanks.

Re: HA Active/Passive Management Design

Ante — Fri, 04 Jan 2013 09:11:50 GMT

Anyway I could get access to these docs?

Re: HA Active/Passive Management Design

mikand — Sun, 06 Jan 2013 21:41:02 GMT

You mean ? It works for me so I guess it should work for you aswell to access that url?