topic Re: Migrating from sub-interface to L3 interface in General Topics

Migrating from sub-interface to L3 interface

filterfilter — Tue, 08 May 2018 04:10:30 GMT

Hi,

We have pair of PA in HA mode, we are going to move one of the sub-interface to a L3 interface. is it possible to do this without any downtime? I am considering below steps

take out sub-interface from monitored interface (to prevent failover)
configured L3 interface on standby firewall (is this possible to have a different config between active/passive firewall?)
failover to standby firewall (not sure if session table will be sync correctly since now it is configured on an l3 interface instead on sub-interface)
sync configuration from now active firewall ( previously standby) to passive firewall.

any suggestion or thoughts?

Thanks

Re: Migrating from sub-interface to L3 interface

OtakarKlier — Tue, 08 May 2018 17:19:15 GMT

Hello,

I would say do this in a maintenance window where you can have down time and this could cause issues especially if something is missed in the config. I would not recomnmend having a different config for active/passive units.

Just my thoughts.

Re: Migrating from sub-interface to L3 interface

BPry — Tue, 08 May 2018 19:38:20 GMT

@filterfilter,

You could do it the way you describe perfectly fine baring that you toggle a few settings on the firewalls to temporarily break configuration sync. Although as @OtakarKlier has already mentioned there are certain risks that go along with this that really best to being done in a maintenance window. You aren't going to know for 100% if you have the configuration done properly until you actually failover traffic, and if it's not dialed in properly you could cause a momentary outage as you move things back to the other HA member.

Re: Migrating from sub-interface to L3 interface

JoeAndreini — Wed, 09 May 2018 11:15:02 GMT

I think you are making this harder than it needs to be...

I would do the following:

1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls

2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces

3) when the maintenance window begins, apply this candidate configuration

4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

Re: Migrating from sub-interface to L3 interface

davanderson — Wed, 09 May 2018 15:13:29 GMT

I like the way you are approaching this option, but I would change the methodology slightly:

1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls (with the switchports SHUT)

2) setup the new FW ports as just standard members of the VLAN (untagged or access-port depending on your terminology) and push policy

3) when the maintenance window begins, SHUT the VLAN Trunk Interface on the switch, NO SHUT the standard access ports

4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

5) once you verify everything is functioning, remove the VLAN tagging from the FW ports and push policy

The roll back is a quick - SHUT of the new ports and NO SHUT of the old ports.

Very similar process to Joe, but slightly different focus.

Re: Migrating from sub-interface to L3 interface

JoeAndreini — Wed, 09 May 2018 15:51:28 GMT

OP specified they were moving to an L3 interface - not sure you can have two interfaces with same IP even if one is "down."

That aside, I feel this is a "tomatoe-tomahto" sort of difference, and agree that either solution is possible and easier than breaking HA and bringing firewalls off/on-line.

Re: Migrating from sub-interface to L3 interface

Remo — Wed, 09 May 2018 18:44:15 GMT

@JoeAndreini wrote:
I think you are making this harder than it needs to be...

I would do the following:
1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls
2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces
3) when the maintenance window begins, apply this candidate configuration
4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

I would also use exactly these steps for this migration. Specially because I can confirm that was working perfectly fine when I did the opposite (migrate from L3 interfaces to subinterfaces).

PaloAlto Firewalls are Zone based firewalls, so the session sync will work during this migration. This is because on a Palo Alto Networks firewall, a session is defined by two uni-directional flows each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone. --> nothing about source-interfaces 😉

Re: Migrating from sub-interface to L3 interface

filterfilter — Thu, 10 May 2018 00:34:06 GMT

Thanks a lot for the inputs. Their requirement is that they don't want any interuption during this migration because they have a monitoring system on this sub-interface, and any traffic interruption will create a noise/alarm.

I agree with @JoeAndreini, this migration should be simple. I will try to push with this method with them on a maintenance window.

Again, thanks a lot for the input.