topic Re: Moving from a single PA500 to HA pair of PA820 in General Topics

Moving from a single PA500 to HA pair of PA820

CTaveras — Wed, 31 May 2017 20:30:40 GMT

As the subject states we are single PA500 shop now moving to Dual PA820 in HA.

What can I expect when moving to this type of setup coming from a single FW setup.

Is there anything I need to look out for any "Gotchas"? So far I know I am using 5 copper ports on the PA500 and the PA820 only has 4 so I know I will need a module. Can anyone think of anything else I may encounter, anything related to Policies, Objects, VPN config anything that you guys can think of.

Re: Moving from a single PA500 to HA pair of PA820

BPry — Wed, 31 May 2017 20:49:40 GMT

@CTaveras,

I assume that you are going to run in an Active/Passive setup. Not much really changes and there are not really any additional steps that you have to do to keep things working correctly. As far as VPN goes GP clients usually transfer over during a failover even fine, where IPSec site-to-site tunnels that I have generally need a few minutes to re-key with the other unit to start passing traffic again.

Re: Moving from a single PA500 to HA pair of PA820

CTaveras — Wed, 31 May 2017 21:14:39 GMT

@BPry

Thank you very much for the response, how does HA handle user traffic passing out if one of the firewalls dies,

Do I need to flush arp anywhere or do they keep session tables to some degree?

Re: Moving from a single PA500 to HA pair of PA820

rmfalconer — Thu, 01 Jun 2017 05:01:52 GMT

For IP addresses configured on interfaces, you shouldn't need to clear arp due to the firewall performaing gratuitous arp after an HA event.

Gratuitous arp is not done for NAT addresses so you might need to clear on external routers if you are doing NAT.

Re: Moving from a single PA500 to HA pair of PA820

TranceforLife — Thu, 01 Jun 2017 06:49:52 GMT

@rmfalconer Hi,

If the Palo has DNAT configured on the external interface for let's say an external range of IPs, it will not send a GARP after failover?

Re: Moving from a single PA500 to HA pair of PA820

reaper — Thu, 01 Jun 2017 07:28:41 GMT

@rmfalconer: the PA does proxy arp for IP addresses used in NAT policies

The HA cluster uses a virtual MAC address which is moved over to the active member if there is a failover event, so the GARP will trigger any switches to learn where the MAC is located and any upstream devices will already have a mapping for the NAT addresses to the virtual MAC. if an IP is not known yet, the active member (wether primary or secondary) will simply proxy arp for the IP using the virtual cluster MAC

@CTaveras: the HA cluster (via the HA2 interface) shares all information regarding active sessions (tcp sequence, NAT, QoS, content scanning status,...) , so if there is a failover event all sessions are immediately 'active' on the secondary firewall and can continue as if nothing happened

Re: Moving from a single PA500 to HA pair of PA820

TranceforLife — Thu, 01 Jun 2017 09:42:09 GMT

Ok so floating MAC address shared between the HA members. All ARP requests for any DNAT IP address that Palo owns will be replied by an active member with its floating MAC address?

Re: Moving from a single PA500 to HA pair of PA820

reaper — Thu, 01 Jun 2017 08:42:00 GMT

correct

- a HA cluster switches to a floating MAC on all interfaces (based on the cluster ID)

- upon HA failover GARP is sent out for all interfaces

- PA performs proxy ARP for any IP used in NAT policies (in case of HA, the floating MAC is shared)

so normally all connected devices will automatically switch everything over to the active HA peer

Re: Moving from a single PA500 to HA pair of PA820

TranceforLife — Thu, 01 Jun 2017 08:46:00 GMT

Such a clear answer! Thanks as always

Re: Moving from a single PA500 to HA pair of PA820

CTaveras — Fri, 02 Jun 2017 12:51:24 GMT

First thank you all for the info/Insight great info!!

A few more quetions

1. Any benefit going Active/Active over Active Passive, Pros and cons?

2. We have the public and private keys of a trusted Certificate Authority imported into the firewall such that the firewall can issue certificates as that CA. I’m assuming exporting and importing the config won’t also migrate over certificate information such that we would have redo those configurations on the new firewall.

Re: Moving from a single PA500 to HA pair of PA820

TranceforLife — Sat, 03 Jun 2017 10:15:43 GMT

1) No benefits, l know it adds only complexity through l never done it before. Only useful as a temp fix while you dealing with the asymmetric routing on the network.

2) Keys and certs will be migrated (keys are encrypted with the master key on palo)

Re: Moving from a single PA500 to HA pair of PA820

acc6d0b3610eec313831f7900fdbd235 — Fri, 02 Jun 2017 16:25:20 GMT

@CTaveras Just be aware that PAN-OS 8.0.x is the minimum OS version for the new platforms 220, 800 series and 5200 series.

Other than that, I agree with some of the other comments such as:

1. Be aware of potential proxy arp configuration on upstream routers. it may break the NAT functionality. If you have static or proxy arp on upstream routers make sure to remove it before starting to test especially the NAT rules.

2. Make sure to configure the Active/Passive Settings as Auto instead of Shutdown. The reason for that is because in the shutdown state, upstream and downstream devices connected to the passive device will not see a valid path until the passive firewall becomes active. That may be a little frustrating because the failover may be delayed a few seconds longer, which may be unnaceptable for some businesses.

3. Also be aware of the preemption feature. If your firewalls are connected to two different ISPs and both have different bandwidths, typically you want the firewall connected to the higher bandwidth to always be the Active firewall in the HA pair. In this case you may want to enable the preemtion feature and configure a timer on it.

For more advises on HA optimization and configuration please refer to the following document:

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/543/2/HA_Failover_Optimization-RevC.pdf

I hope this helps.

Re: Moving from a single PA500 to HA pair of PA820

CTaveras — Wed, 07 Jun 2017 20:04:28 GMT

We will def have 2 ISP but using both simultaniously.

Some one mentioned something about Virtual MAC when in HA...I assume that was for the External interface?

What about the Trusted port does that also get a Virtual MAC?

Re: Moving from a single PA500 to HA pair of PA820

acc6d0b3610eec313831f7900fdbd235 — Thu, 08 Jun 2017 06:07:18 GMT

@CTaveras If you want to utilize both links simultaneously one of the options you have available is to enable the ECMP feature. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-the-Firewall/ta-p/110339 The ECMP allows you to specify up to 4 route paths with the same cost (metric) while applying Load Balance algorithms such as Round Robin for load distribution.

Re: Moving from a single PA500 to HA pair of PA820

CTaveras — Thu, 08 Jun 2017 13:23:22 GMT

@acc6d0b3610eec313831f7900fdbd235 I notice that although I set the Passive link state on the Active FW to Auto, the Passive has not sync'd this change.

Is this expected behavior or does the passive device also need this setting? I read the Doc you linked and it doesnt mention anything about the passive device.

Re: Moving from a single PA500 to HA pair of PA820

TranceforLife — Thu, 08 Jun 2017 13:30:16 GMT

Yes expected. These settings are local:

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/568/1/HA_Synchronization_RevD.pdf