topic Re: forming firewall HA in a panorama managed environment in General Topics

forming firewall HA in a panorama managed environment

akhalighi — Wed, 11 May 2016 01:43:59 GMT

we have a panorama managed firewall and we push objects from panorama to it . we are considering to make a HA firewall setup . as per articles from PaloAlto , Panorama objects are not being synchronized.

Question 1 : Should we add secondary firewall to Panorama prior to forming HA cluster and ensure it's completely synced up ?

Question 2 : Is there any other concerns that we need to be aware for this scenario ( forming firewall HA with a panorama managed device )

Re: forming firewall HA in a panorama managed environment

rmonvon — Wed, 11 May 2016 14:30:29 GMT

@akhalighi wrote:

we have a panorama managed firewall and we push objects from panorama to it . we are considering to make a HA firewall setup . as per articles from PaloAlto , Panorama objects are not being synchronized.

Question 1 : Should we add secondary firewall to Panorama prior to forming HA cluster and ensure it's completely synced up ?

If you plan to configure the HA settings from Panorama & push to the 2nd firewall, then you should add the 2nd PA to Panorama 1st and define a template for the 2nd PA. If you plan to keep the HA setting local to the PA, then you can do it either way.

Question 2 : Is there any other concerns that we need to be aware for this scenario ( forming firewall HA with a panorama managed device )

You need to put both PAs into the same device group so they can have the same shared policies. You can commit to each PA one at a time or select both when committing from Panorama.

If the PAs are in A/P HA and their network settings are the same, you may want to put both in the same template assuming the mgmt & HA settings are set locally at the PA. Or you can put each PA in its own template and assign every settings within the template.

Re: forming firewall HA in a panorama managed environment

akhalighi — Wed, 11 May 2016 14:56:51 GMT

Thanks

This is going to be an Active-Passivesetup with Active running some VSYSs.

in our scenario panorama pushes objects to VSYSs on Active firewall . do we still need to add all VSYSs on passive PA to receive objects from Panorama ? Or objects will be replicated as part of VSYS syncronization ?

Re: forming firewall HA in a panorama managed environment

rmonvon — Wed, 11 May 2016 17:04:22 GMT

With multi VSYS running, each VSYS is considered to be a firewall by Panorama. For example, we have 5 VSYS'es defined and Panorama will detect 5 firewall instances (10 firewall instances in the case of HA). Typically, we will define 5 device groups, 1 group for each VSYS with a pair of A/P firewalls in each group.

You will need to to commit to the passive to push the objects from Panorama. Panorama commits are not sync to give us the flexibility to commit to 1 PA or to both. Also, there is no VSYS sync but rather the sync is done with HA process.

Re: forming firewall HA in a panorama managed environment

akhalighi — Wed, 11 May 2016 19:44:10 GMT

Thanks . so to be clear , If I have two VSYSs ( VSYS1 and VSYS2) on Active PA and I form a HA cluster ; these two VSYSs will be craeted on passive node durinf first configuration Sync but I have to add them to Panorama to receive the objects . Is that right ?

Re: forming firewall HA in a panorama managed environment

rmonvon — Wed, 11 May 2016 22:43:43 GMT

1st you will need to manually enable Multi-VSYS on the passive. Then if the VSYS'es are defined locally on active PA, you can perform an HA sync and the configuration of the VSYS will sync to the passive. If you are using template in Panorama to define the VSYS'es, then you need to perform a template commit to push the VSYS config to the passive.

Hope that helps.

Re: forming firewall HA in a panorama managed environment

akhalighi — Thu, 12 May 2016 12:53:50 GMT

Thanks . VSYSs are defined locally but they receive objects ( address objects and service objects ) from Panorama . so I guess after HA Sync , we need to add VSYSs on Passive PA to Panaroma and push Panorama objects to them ?

Re: forming firewall HA in a panorama managed environment

rmonvon — Thu, 12 May 2016 13:57:43 GMT

The HA sync should add the VSYS'es onto the passive PA, and Panorama will see the new VSYS'es of the passive PA. You then need to add these VSYS'es of the passive to the device group(s) within Panorama. Once the VSYS'es are in device group(s), you can push Panorama objects & policies to the passive.