topic Re: IP for Cluster HA Active Pasive in General Topics

IP for Cluster HA Active Pasive

Alpalo — Wed, 15 Sep 2021 10:19:42 GMT

Hello,

We have a 3200 series HA cluster active/passive version 9.1.10.

The requirement is to access through a single ip always to the active node.

That is, I have an IP for the active node and another for the passive node but I want to configure a single IP to access the active node either one or the other.

Can anyone help me to configure it? How do I have to do it?

Re: IP for Cluster HA Active Pasive

PavelK — Wed, 15 Sep 2021 13:21:10 GMT

Thank you @Alpalo for posting question.

To my knowledge this is not possible. Management interface is configured individually on each firewall and is not part of HA. Here is the list of items that are not HA synchronized, management interface is on the top of the list: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/reference-ha-synchronization/what-settings-dont-sync-in-activepassive-ha.html

I know that some Firewalls for example Cisco ASA has management interface to be part of HA, then when there is a failover the management interface is also changed, however PA does not have this implementation. Can I ask for the reason why this is required?

Thank you & Regards

Pavel

Re: IP for Cluster HA Active Pasive

batd2 — Wed, 15 Sep 2021 13:22:36 GMT

@Alpalo I presume you are referring to the firewall's managed IP address. If this is the case, the management IP need to be unique on each node.

You have two possible solutions for you task:

1. Enable firewall management on one of the data interfaces, e.g. ethernet 1/1. You can achieve this by applying interface management profile to it and enable ssh and https. It may also need security policies configuration . This will ensure management connections only to the active HA member.

2. The other more complex option will be to use some 3rd party load balancer appliance, which can detect the primary member through API calls and sent management traffic to it.