topic Re: PA200 disaster recovery option...? in General Topics

PA200 disaster recovery option...?

thatguy — Wed, 20 Jan 2016 18:23:04 GMT

Hi all --

I curently have one PA200 with all four eth ports taken (internal/trust network, internet/untrust, dmz, voip vlan), as well as the mgmt port connected to the internal network. I'm looking to get a disaster recovery plan in place, but, as far as I understand (from about here to here |--| ), I would need one of the eth interfaces to connect to a second PA200 to utilize HA-Lite.

Since I can't spare a port, would another option be to: get a second PA200, import the current running config on the production PA, then just put the spare PA in the closet; then if the production PA ever dies, just replace it with the spare PA and *poof* no one sees a difference?

Is that a sound plan? I would think another benefit to this would be in case of a fire, etc, the spare PA could be stored in our other building.. but that could just be me trying to convince meself...

Thoughts?

Thanks

-- michael~

Re: PA200 disaster recovery option...?

Brandon_Wertz — Wed, 20 Jan 2016 18:29:01 GMT

Do you have a requriement for physical port separation? Can you collapse ports into sub-interfaces, or would that voilate some local policy/requirement you might have?

Re: PA200 disaster recovery option...?

pankaku — Wed, 20 Jan 2016 18:42:35 GMT

You can bundle the interface if you can. Check the following document:

https://www.paloaltonetworks.com/documentation/61/pan-os/newfeaturesguide/networking-features/lacp.html

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/lacp-settings.html

To export and import the configuration refer to the following document:

https://live.paloaltonetworks.com/t5/Management-Articles/CLI-Commands-to-Export-Import-Configuration-and-Log-Files/ta-p/52661

Hope this helps!

Re: PA200 disaster recovery option...?

pankaku — Wed, 20 Jan 2016 18:44:39 GMT

check following for HA configuration:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-High-Availability-on-PAN-OS/ta-p/54086

https://live.paloaltonetworks.com/t5/Learning-Articles/What-is-HA-Lite-on-Palo-Alto-Networks-PA-200-and-VM-Series/ta-p/62553

Re: PA200 disaster recovery option...?

thatguy — Wed, 20 Jan 2016 18:47:41 GMT

I haven't palyed with subinterfaces before... after a brief read, I'm guessing I could combine the trust (192.168.1.0/24) and the voip vlan (192.168.100.0/24) into the eth0 port, as long as the cxn from the switch is config'd as a trunk? which would even save an additional switch port, yeah?

Sidenote: in case the boss does want the spare stored in another building, would the swap-out idea work as well?

Thanks

Re: PA200 disaster recovery option...?

Brandon_Wertz — Wed, 20 Jan 2016 18:55:19 GMT

I'm not certain of the phsyical limitation (if any) on the PA-200 with sub-interface limits, but technically you could collapse all interfaces into one interface with 4 sub-interfaces with that one interface on the network "trunked" with each VLAN allowed and use VLAN tagging in the PA-200 to separate out your traffic with each subinterface in it's own Zone as necessary.

The cold spare would work, but you'll have to deal with moving licenses (if using any). You also run the risk of config deviation if you just image that box from a given point in time.

Re: PA200 disaster recovery option...?

pankaku — Wed, 20 Jan 2016 19:01:42 GMT

Yes you will get extra port both idea will work. Make sure in second plan you should do cabling properly.

Re: PA200 disaster recovery option...?

thatguy — Wed, 20 Jan 2016 20:08:10 GMT

Thank you, both.. I'll probably go with the cold-spare until I can figure out the sub-interface config. These PA's are pretty neat! Always learning... 😄