topic Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster in General Topics

Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

Mvdohe — Tue, 28 Aug 2018 15:15:51 GMT

Hello everybody,

is there any article or best practice document which discribes the configuration of a Palo Alto 3020 Firewall HA-Cluster active/passive while there is already a working stand alone PA 3020 Firewall.

Is it the same way I configure a HA-Cluster out of the box?

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/set-up-activepassive-ha/configure-activepassive-ha

Which parts of the config get synced to the peer and which had to be preconfigured on the secondary node?

Something I should pay attention to?

Thanks for your support!

Kind regards

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

OtakarKlier — Tue, 28 Aug 2018 16:40:35 GMT

Hello,

The process is the same. The way I have done it in the past was to setup the 'active' one first, in your case it would be the one that is already deployed. I would then also set its 'priority' so something like 10 so it'll negotiate as the 'active'. Then I would setup the 'passive' device per the documentation.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/set-up-activepassive-ha/configure-activepassive-ha#id2351b088-8534-472b-9f43-34744c9075ec

Hope that helps!

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

reaper — Wed, 29 Aug 2018 11:44:51 GMT

even it is very easy to change your deployment from standalone to HA, there is one giant caveat: the firewall's MAC addresses will change into shared MACs, so you will need to flush your arp/mac tables on all connected devices

other than that, walk in the park 😉

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

Mvdohe — Wed, 29 Aug 2018 13:39:42 GMT

Thanks for your answer!

At which step do you flush the arp tables? After setup of the HA-Cluster?

What means any connceted device? Any virtual machine e.g?

And which parameters had to be preconfigured on the secondary firewall (mgmt. ip, dns, ha-config, interfaces, virt. router,...) and which parameters will be synced to the peer by setting up the active/passive HA-Cluster.

Is there any best practice paper or knowledge base article?

Thanks for your support!

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

reaper — Wed, 29 Aug 2018 14:05:28 GMT

when you commit the HA config the MAC addresses will change, your routers and switches will benefit most from clearing the cache/reviewing static entries

Hosts will typically ask for MAC information and won't be impacted as much

The secondary firewall needs to be configured with a management interface and matching HA config,

It will also need to be set to the identical software version and ideally (optional but strongly recommended) same content/threat/AV/URL filtering versions

After the HA is established, the primary member can copy over mostly all config (sync to peer)

Here you can find what is and isn't synced: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/reference-ha-synchronization

(so in short, you will still need to configure 'system specific' settings like dns, ntp, licensing, content update schedules, HA parameters)

There is a best practices space that addresses all sorts of deployments: https://www.paloaltonetworks.com/documentation/best-practices

And there is a best practice on how to upgrade a firewall/cluster https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

Mvdohe — Wed, 29 Aug 2018 14:13:00 GMT

Hi reaper,

thanks for your feedback, that helps me a lot.

Have a nice day!