Configuration Articles

Featured Article
This document describes how to enable and disable CCEAL4 mode on a Palo Alto Networks firewall with high availability, with minimum impact on the network.   Before attempting this procedure, read the following article to understand the changes and impact of enabling the FIPS/ CCEAL4 mode: Changes that Occur if FIPS Mode is Enabled.   Preparation Make sure you have physical access to the firewall and a console connection. Change the configuration to fulfill the requirements in the above document, which will ensure you do not commit errors while loading the configuration. Make sure the passwords meet the minimum length criteria. Setup a lockout time for failed login attempts. On the GUI, go to  Device > Setup > Management > Authentication Settings > Lockout Time (min) Make sure supported ciphers suites are used for IPSEC VPNs and all certificates were generated using 2048 bits key size. Enable HA on both HA peers and make sure they are talking to each other: How to enable encryption on HA1 in high availability configurations. Take backups of the configuration and licenses from both firewall 1 and firewall 2 after making the above changes. On the GUI, give proper names to each file.  Device > Setup > Operations > Save Named Configuration Snapshot Device > Setup > Operations > Export Named configuration Snapshot Device > Setup > Operations > Export Device State Device > Support > Generate a Tech Support File, and then download it. This step is optional if the device is being managed from Panorama also. Go to Panorama > Setup > Operations > Export Panorama and device config bundle. Test the failover between the HA pair to make sure traffic is flowing fine via both firewalls. Disable preemption on the High Availability settings to avoid any unnecessary failovers. On the CLI, disable TCP-Reject-Non-SYN for the window. This is allow successful failover of traffic between the firewalls once one is in FIPS mode and other is not.    > configure   # set deviceconfig setting session tcp-reject-non-syn no   # commit Failover all traffic to Firewall 2, while setting Firewall 1 in FIPS mode.   Steps to enable FIPS mode: Remove all HA and network cables on Firewall1 and follow the procedure in the following article to enable FIPS mode on firewall 1: How to Enable or Disable (Common Criteria) CCEAL4 Mode After you are able to log into the firewall via GUI on Firewall1 on 192.168.1.1, import Firewall1’s exported candidate configuration into the firewall A using WebGUI : Device > Setup > Operations > Import Named Configuration Snapshot. Note: If the device is being managed from Panorama, then import the device state: (WebGUI)  Device -> Setup -> Operations -> Import Device State . Disable HA on Firewall1. Make sure you have a local admin account configured with a known password so that we are still able to manage the device after committing. Export HA encryption keys from Firewall1 Device -> Certificate Management -> Certificates -> Export HA Key. Commit the changes, and if the commit goes through, connect the management port back to the network so that you can connect back to original management IP to regain access to the firewall. After logging in again,  update the Licenses, Content and Antivirus database, URL database to the required version and update the Wildfire Package as well Wildfire Configuration, Testing, and Monitoring Connect the network cables (no HA cables yet) on Firewall1, and disconnect network cables on Firewall2 at the same time.  Note : There will be an outage at this step as we are doing a stateless failover to Firewall1.  Verify that traffic is passing through the Firewall. Repeat steps 1 to 8 for Firewall2. At this point both firewalls are in FIPS mode but acting as standalone units. Now we will enable HA on both. Follow the article How to enable encryption on HA1 in high availability configurations to import HA keys of Firewall2 into Firewall1 and vice versa. Enable HA on both Firewalls as before (Encryption needs to be enabled). Disable preemption as of now. Commit the changes. Connect the HA cables between Firewall1 and Firewall2 and let the HA state transition take effect. Once the HA is established, connect the network cables on Firewall2. Test the failover by suspending Firewall1 Enable preemption if required and make sure the tcp-reject-non-syn is enabled again. Note: Arrange downtime for the procedure, and contact support if you run into any issues.
View full article
abjain ‎07-24-2018 09:31 AM
16,714 Views
0 Replies
Overview This document describes how to set up a replacement, from an RMA device, as a High Availability (HA) peer.   Steps Gather backup configuration Take a backup configuration of the faulty device: Go to Device > Setup > Operations > Configuration Management and click "Export device state." The device state contains the configuration for the device. Note: To take a backup of a device from Panorama, go to Panorama > Managed Devices and click "Manage…" under the backups column for the appropriate device, OR you can export the  device state bundle to a computer using SCP or TFTP  from CLI > scp export device-state device to username@serverip:/path/ For PA-7000 series devices, note the output of the following command  > show session distribution policy For all platforms, not the output of the following command > show system setting jumbo-frame Shut down the faulty unit using the command: > request shutdown system Rack the new unit and connect to the unit's Management Interface.   Set up basic configuration on the new device Transfer Licenses. Refer to the following document: How to Transfer Licenses to a Spare Device (Optional)  Set the operational mode to match that on the old firewall. A serial port connection is required for this task. Enter the following CLI command to access maintenance mode on the firewall: > debug system maintenance-mode To boot into the maintenance partition, enter maint  during the boot sequence. Select the operational mode as " Set FIPS Mode or Set CCEAL 4 Mode "   from the main menu. (Optional) Set the system settings to match the output from the commands in steps (2) and (3) in the previous section. Configure Management Access to the replacement device Access the console and log in using the default credentials: Username: admin Password: admin Configure the management IP address, netmask, and gateway, as well the DNS and update servers using the following CLI command: > configure # set deviceconfig system ip-address <value> netmask <value> default-gateway <value> # set deviceconfig system dns-setting servers primary 4.2.2.2 # set deviceconfig system update-server updates.paloaltonetworks.com # commit # exit Ping a domain to test, for example: > ping host paloaltonetworks.com Obtain licenses from the license server. Go to Device > Licenses. Click Retrieve license keys from license server. Make sure to have a URL filtering license and that the URL filtering is both activated and that the database has been successfully downloaded. Note: If a link "Download Now" is displayed the database has not. downloaded. Install the same GlobalProtect Client and PAN-OS versions on the replacement device as the existing HA Peer Install the GlobalProtect Client. Go to Device > GlobalProtect Client Download and active the appropriate version of the client. Install PAN-OS. Go to Device > Software. Download and install the appropriate image. Reboot. Make sure dynamic updates have the same version as the HA peer. If not, then download and install the appropriate version: Device > Dynamic Update > Download > Install. If the device is being managed from Panorama, replace the old serial number with the new one: > replace device old <Old Serial #> new <New Serial #>   Restore the configuration   For multi-vsys enabled systems, first enable multi vsys capability :  > set system setting multi-vsys on   (Optional) Enable jumbo frames and session distribution policy to match the old device. > set system setting jumbo-frame on (reboot required to take effect) > set session distribution policy [ fixed | hash | ingress-slot | random| round-robing | session-load ] Go to Dev ice > Setup > Operations. Click "Import device state" and import the previously backed up configuration from the faulty device. Commit once the import of the device state is complete. Ensure the new device stays in a passive state to prevent the configuration being pushed to the active device. Suspend the new unit from the CLI run the command: > request high-availability state suspend or From the GUI go to Device > High Availability > Operations > Suspend local device. or Perform the config change: Go to Device > High Availability > General > Setup and uncheck the Enable Config Sync option. Disable "Preemptive" under Election Settings. Configure device with the highest Device Priority value (255). Perform a commit Note: The device will not become active with this configuration. Refer toHigh Availability Synchronization Make sure the replacement device has the same configuration as the active device. Go to the Dashboard tab and check the High Availability widget. Note: If the High Availability widget is not displayed, then click Widgets > System > High Availability. If the configurations are not the same, go to Device > High Availability and click "Push configuration to peer" from the active device.    Log into the Active unit. Go to Device > Config Audit > Do config audit between "Running Config" and "Peers Running Config." Make sure both are the same. If the case of any differences, try to manually configure the passive unit. "Config Difference" can occur if a configuration backup was not taken for the faulty device, so the new device won't have the same configuration as the active unit. In this case, manual configuration is required. Enable config sync (Device > High Availability > General > Setup) and preemptive (Device > High Availability > General > Election Settings) on the replacement device. Commit the changes.   After the commit, connect the remaining cables to the new device.   owner: hshah
View full article
hshah ‎12-05-2017 06:07 AM
38,640 Views
7 Replies
3 Likes
High Availability (HA) is a configuration in which two identical Palo Alto Networks firewalls are placed in a group and their configurations are synchronized to prevent a single point to failure on the assigned network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up the firewalls in a two-device cluster provides redundancy and allows business continuity.   The following table provides a list of valuable resources on understanding and configuring High Availability: Title Description Type BASIC     Video Link : 1015 Set up a basic HA configuration on two PA-4020's Video How to Configure High Availability on PAN-OS How to Configure High Availability (HA) on a Pair of Identical Palo Alto Networks firewalls Document How to Configure a High Availability Replacement Device How to Set up a Replacement (from an RMA device), as a High Availability (HA) Peer Document Can you have High availability (HA) Between Two(2) Different Firewall Platforms? Palo Alto Networks Devices only Support High Availability between two Identical Devices Document How to Upgrade a High Availability (HA) Pair Upgrade a HA Pair Document IPv6 Support for High Availability (HA) IPv6 addressing for HA interface for PAN-OS 5.0 Document How to Change the HA Group ID How to change the Group ID for a pair of Palo Alto Networks devices configured in HA Document 2 HA Clusters of PAN Devices Have the Same Virtual MAC Address Two Palo Alto Networks Devices from Different High Availability (HA) Clusters have the Same Virtual MAC Address Document High Availability Failover Optimization Describes HA Timer Settings that are part of PAN-OS and Factors R equired to Tune the HA Configuration Document Changing High Availability (HA) Heartbeat Interval Change the Default Heartbeat Timer Document What is the Difference Between Auto and Shutdown Mode for Passive Link? Auto and Shutdown Mode for Passive Link Document INTERMEDIATE     Secondary Device in High Availability Active/Active Pair is not Coming up Secondary device in a High Availability Active/Active Pair is Showing a Non-Functional Status Document Panorama Commit Failed: High Availability Priority must be Specified When Setting up Panorama High Availability the Commit Failed Document High Availability Synchronization Tune the Palo Alto Networks firewall’s HA Configuration More Effectively Document How to Migrate URL Database from BrightCloud to PAN-DB on HA Devices How to Migrate the URL Database from BrightCloud to PAN-DB on a HA Pair of Palo Alto Networks Devices Document Can GP-100 Be Configured for High Availability Deployment? GP-100 in High Availability (HA) Configuration Document Not authorized to view the specified document 2067 High Availability is Configured but Cannot be Enabled and the Dataplane Appears to be Down Document Mismatch URL Vendor on High Availability Pair Failover is Due to the Mismatch of URL Vendor Between the HA Pair of Devices Document Active to Passive Configuration Sync Failing for High Availability Active to Passive Configuration Synchronization is Failing Between the HA Pair of Palo Alto Networks Devices Document Layer 3 High Availability with Optimal Failover Times Best Practices Layer 3 HA with Optimal Failover Times Best Practices Document How to Enable Encryption on HA1 in High Availability Configuration How to Enable Encryption on HA1 Traffic Between Two Palo Alto Networks Firewalls Document A/P High Availability Not Syncing - SSL VPN Cert File - Processing Failed HA-Sync Job on HA Peer Fails Document Which Ports Need to be Opened for PAN-OS in HA to Sync &amp; Communicate? Protocols and Ports that a High Availability Pair Will Use Document ADVANCED     Heartbeat Backup is Enabled on Both Devices but Status is Showing "Down" Heartbeat backup enabled on two devices configured for HA but status on the WebGUI is showing 'down' Document DHCP Relay in an HA Active/Active Setup DHCP Relay feature is used when the DHCP server is not in the same L2 broadcast domain as the DHCP client Document How to Configure Panorama/Log Collector Combination in HA Mode How to configure a combination of Panorama and Log Collectors in HA mode Document How to Configure Ping Interval/Timeout Settings for HA Path Monitoring Ping interval setting for path monitoring specifies the interval between pings that are sent to the destination address Document How to Recover HA Pair Member from the Suspended State CLI command to make the suspended device available for the HA pair Document How to Control Failover on Active/Passive HA for Aggregate Interface How to control failover on Active/Passive HA for aggregate interface Document DISCUSSION BOARDS     Panorama High availability Recommendations for Configuring Hold Timers/Various Interval Settings Board High Availability Weirdness Entries in the Logs on the (normally active) Device is Showing a B ackwards View Board High Availability with Virtual Wires? In HA do the virtual wires fail over? Board Virtual Routers as High Availability Best way to configure systems to ensure the most availability of the routes Board   owner: asimon
View full article
‎10-19-2017 02:59 AM
59,571 Views
0 Replies
3 Likes
When deploying a Palo Alto Networks (PAN) HA pair in L3 there are some considerations that should be taken into account to achieve the most optimal failover time.   The Palo Alto Firewall Series supports an active/passive configuration of two devices.  The active device continuously synchronizes its configuration and session information with the passive device over two dedicated interfaces and, in the event of a hardware or software disruption on the active firewall, the passive firewall becomes active automatically without loss of service.  The time it takes for the surrounding devices to begin forwarding traffic to the new active unit is the bottleneck to achieving optimal failover times.   There are two areas of configuration that need to be considered when trying to achieve the shortest failover time in a L3 HA deployment: the PAN HA configuration and the adjacent switch configuration. Each of these is discussed below.   PAN HA configuration considerations   An important fact to consider in designing an HA architecture is that the traffic handling links on the passive device default to a down state, and therefore upstream and downstream devices connected to the passive device will not see a valid path unless the passive PAN firewall becomes active. A configuration option was added in PAN-OS version 2.0.x to force the interfaces to always be active on the passive device. This option only takes affect if the interface(s) are L3. This capability allows the adjacent device to not have to go through a port transition when there is a failover. This setting is configured under Device > High Availability > Election settings. The Passive Link State defaults to shutdown and should be set to auto, if it is desired to have the link status on the passive device to be forced up.   The other two considerations on the PAN firewall are the values configured for the Passive Hold Timer and the Hello interval. These two settings are configured on the HA Election settings page.   The Hello Interval is the time interval between heartbeat packets that are sent to verify that the opposing firewall is operational. The minimum value for hello interval is 1000 milliseconds (1 second) on the PA-4000 series, and 8000 milliseconds on the PA-2000 series. Setting the value to the minimum is recommended to achieve optimal failover times. When there is a loss of 3 hello messages the adjacent firewall is declared to be down and the passive device will become active.   The Passive hold down timer is the amount of time the passive device waits when the active device is declared to be down (either because of a loss of heartbeat packets or a link or path monitoring failure) before switching to the Active state.  Setting this value to 0 will trigger an immediate switchover when the failure is detected. The best practice is to set this value to a nominal value to introduce some delay so that the surrounding devices can stabilize the state changes. Recommendations: on PA-2000 series, set passive hold down timer to 2000 ms; on PA-4000 series, set passive hold down time to 0. This will achieve optimal failover time.   Note: In a L3 deployment the PAN device will issue a gratuitous ARP when a failover occurs; this will populate the surrounding devices forwarding tables so that traffic will be forwarded to the newly activated device.   Implementing link monitoring is also a best practice when trying to optimize failover times. When this is configured the loss of a physical link will trigger a switchover from active to passive. If an adjacent device goes down or there is a physical connection issue the HA switchover will be immediate.  The time the passive device takes to become active will depend upon the hold down timer value set as discussed above.   Switch configuration considerations   Assuming the PAN HA pair is being connected to a Layer2 switch, there is one port-based setting that should be considered. Most Layer2 switches have spanning tree enabled by default; this is to prevent loops from occurring due to cabling errors.   When spanning tree is enabled on a switch port, it will not immediately start to forward data. It will instead go through a number of states while it determines the topology of the network. This can cause of a delay of up to 30-50 seconds before traffic starts to be forwarded. This applies to the original spanning tree protocol (STP) defined by the IEEE 802.1D. (see http://en.wikipedia.org/wiki/Spanning_tree_protocol for more details on the protocol and other references)   Some vendors have implemented proprietary extensions to STP to minimize the delay when a switch port becomes active. Cisco switches have a configuration option called PortFast.  PortFast immediately transitions the port into STP forwarding mode upon link up. The port still participates in STP. So if the port is determined to be a part of the loop, the port will still transitions into STP blocking mode. (http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml#topic1) There is a new IEEE standard (802.1w – Rapid Spanning Tree) that now includes protocol extensions such as PortFast. Switch vendors other than Cisco will have a similar configuration setting, and it is recommended that you contact your switch manufacture on how to configure the equivalent.   Here is a configuration example from a Cisco 29xx switch with PortFast enabled on a port: interface FastEthernet0/16 switchport access vlan 500 spanning-tree portfast   The best practice is to enable PortFast or the equivalent on all switch interfaces that connect to the PAN firewalls in an HA configuration.   Summary   The best practice for achieving the optimal failover time for a PAN L3 HA pair is as follows: Set holddown timer to 0 ms on PA-4000, 2000 ms on PA-2000 (under HA election settings) Set hello interval to 1000 ms on PA-4000, 8000 ms on PA-2000 (under HA election settings) Configure link monitoring (under HA configuration for interfaces) Configure “PortFast” or equivalent on adjacent L2 switch ports that the PAN firewall is connected to.   owner: jnguyen
View full article
jnguyen ‎08-29-2016 01:39 AM
24,080 Views
8 Replies
3 Likes
Overview This document describes how to enable encryption on HA1 traffic between two Palo Alto Networks firewalls.   Steps Every Palo Alto Networks firewall has its own high-availability-key that can be used to encrypt HA1 traffic. Before the encryption can be enabled, the key needs to be exported from PA1 and imported into PA2. The PA2 key also needs to be exported and imported into PA1. After the keys are imported, the final step is to have each firewall explicitly accept its peer's DSA key. This operation can only be done via the CLI.   Export key on PA1. From the CLI: > scp export high-availability-key from HA-key-0009C100762 to user@server_ip:/directory   From the GUI: Import key on PA2. From CLI: > scp import high-availability-key from user@server_ip:/directory/HA-key-0009C100762   From GUI:   Repeat steps 1 and 2 above, but export the key from PA2 and import into PA1. Enable the encryption and perform a commit on both devices. To finalize the RSA key exchange between HA nodes, access the CLI from each node and SSH to the peer. When prompted to install the RSA token, type yes. For example: 1.1.1.1 < HA Peer MGT Interface IP address. admin@PA-3050> ssh host 1.1.1.1 The authenticity of host '1.1.1.1 (1.1.1.1)' can't be established. DSA key fingerprint is e9:de:76:fb:db:95:98:7d:c8:45:c4:83:dc:35:f1:2b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '1.1.1.1' (DSA) to the list of known hosts. admin@1.1.1.1's password:   Additional info   If you have issues with the key or simply want to renew them, use the following CLI command.   Note: Please be aware that this command will cause the firewall to reboot automatically.   > debug system ssh-key-reset high-availability Executing this command will reset the high-availability SSH keys and reboot the system. Do you want to continue? (y or n) Broadcast message from root (Fri Mar 29 10:10:28 2013): The system is going down for reboot NOW!   owner: rvanderveken
View full article
rvanderveken ‎06-13-2016 11:26 AM
7,779 Views
0 Replies
  The Palo Alto Networks PA-200 and VM-Series firewalls only support HA lite configuration without session synchronization.   Follow these steps to configure HA lite. Configure an interface as HA1 link. This step is optional; you can also use management interface as HA1. Go to Network > Interfaces > and select the available interface. Select the interface type as 'HA.' Select the interface Device > High Availability. Specify the IP address of the HA1 link. If HA port links are directly connected, then this IP address can be any arbitrary IP address. It just needs to be within the same subnet of the peer's HA1 control link IP address. Enable HA from Setup. Specify the peer HA1 IP Address. Specify common Group ID on both units. Specify the Device Priority. The device with the lower numerical value, and therefore higher priority, is designated as active and manages all traffic on the network.
View full article
ukhapre ‎02-04-2016 03:22 PM
5,624 Views
0 Replies
1 Like
In an Active/Passive High Availability environment, if the preempt feature is configured, whichever device holds the lower HA priority value and is healthy to pass the traffic will always move to an Active state.   What if both the devices have the same priority? When both the devices hold the same HA priority value, as a tie breaker PAN-OS considers HA control link (HA1 link) MAC address to choose the Active device. The device that has a lower MAC address value and is able to pass the traffic will take the role as Active device and the other device will move to Passive state.   Example  Device A and Device B are in Active/Passive HA. Both devices have HA priority value as 100 with preempt configured and Device A HA control link MAC address value is lower than the Device B HA control link MAC address value.   Currently, Device A is in Active state and Device B is in Passive state. HA failover is triggered and Device B becomes Active and Device A goes to Passive state. If Device A is healthy post the failover event, after the premption hold timer in Device A expires, Device A takes the role as Active and Device B will be back to Passive state.   If you prefer to keep one particular device in Active state, reduce the priority of that device.   Please follow the steps below to reduce the device priority.   From the GUI Go to Device Tab > High Availability > General > Device Priority and commit the changes.     From the CLI admin@Firewall(active)> configure Entering configuration mode [edit] admin@Firewall(active)# set deviceconfig high-availability group "value" election-option device-priority "value" admin@Firewall(active)# commit   
View full article
rashobana ‎01-31-2016 03:41 PM
4,136 Views
0 Replies
1 Like
Symptoms In an active/passive high availability environment, during the HA failover, OSPF graceful restart is not working as expected due to which OSPF neigbor terminates the adjacency and initiates a new  adjacency process after an HA failover event . Diagnosis In an active/passive environment, when customers use OSPF protocol, with the graceful restart feature enabled , during the h igh availability failover the OSPF g raceful restart directs OSPF neighbors to continue using routes through a device during a short transition when it is out of service. This increases network stability by reducing the frequency of routing table reconfiguration and the related route flapping that can occur during short periodic down times.     How graceful restart works When the firewall is down for a short period of time or is unavailable for short intervals, it sends grace LSAs (LSA type 9) to its OSPF neighbors.  U pon receiving the grace LSAs, the neighbor continues to forward routes through the firewall and to send LSAs that announce routes through the firewall. If the firewall resumes operation or the passive device changes the state to active before expiration of the grace period or the  neighbor's max restart time, traffic forwarding will continue as before without network disruption. If the firewall does not resume operation or there is an issue in HA failover, after the grace period has expired or the  neighbour's max restart time expired , the neighbors will exit helper mode and resume normal operation, which will involve reconfiguring the routing table to bypass the firewall.   Here is a sample packet capture:     Sometimes even though OSPF graceful restart is configured on the Palo Alto Networks devices, during the HA failover, users notice traffic disruption due to the route not available to forward the traffic. Solution OSPF neighbors must be configured with grace restart helper. If the graceful helper is not configured on the neighboring devices, it will reject the grace LSA and it will not be processed.   In order to have OSPF graceful restart work correctly, enable graceful restart and graceful helper mode on both local and neighboring devices.   Please follow the below steps to configure a graceful restart.   From the GUI: Go to network. Select the appropriate virtual router. Enable OSPF. Choose advanced and enable "Graceful Restart" and commit the changes.   From the CLI: Run this command: admin@PA-Firewall> configure Entering configuration mode [edit] admin@PA-Firewall # set network virtual-router default protocol ospf graceful-restart enable yes admin@PA-Firewall # commit   When graceful helper mode is configured ,  if the OSPF  neighbor  is down for a short period of time or is unavailable for short intervals, the  OSPF neighbour will send a  graceful LSA to the firewall.  Upon receiving the graceful LSA Firewall enters helper mode and maintains OSPF full state with the  neighbor   until the  grace period or  neighbor's max restart time expires.   Please follow the below steps to configure graceful helper mode.   From the GUI: Go to Network. Select the appropriate Virtual Router. Enable OSPF. Choose Advanced and "Enable Helper Mode."   From the CLI: admin@PA-Firewall> configure Entering configuration mode [edit] admin@PA-Firewall# set network virtual-router default protocol ospf graceful-restart helper-enable yes admin@PA-Firewall# commit  
View full article
rashobana ‎01-22-2016 07:42 AM
6,078 Views
0 Replies
3 Likes
This document provides information about link and path monitoring behaviour.   Link monitoring   Suppose we have only one entry in the Link group.  If the link monitoring has a failure condition of any and Link group has a group failure condition of all, then all is preferred, because whatever's configured in the Link group takes precedence.     If we have more then one link group and  the link monitoring has a failure condition of any, if any of the link group fails, then a failover is triggered.   For example, say you have two link groups, each link group has two interfaces, and the failure condition of the link group is all.   group1 ethernet1/1, ethernet1/2 group2 ethernet1/3, ethernet1/4   If both interface 1/1 and 1/2 fail, then the link group fails and triggers a failover.       Path monitoring   Suppose we have only one entry in the Path group.  If the path monitoring has a failure condition of any, and the path group has a group failure condition of all, then all is preferred, because whatever's configured in the path group is preferred.     If we have more then one Path group, and  the Path monitoring has a failure condition of any, if any of the path group fails, then a failover is triggered.   For example. we have two path groups, each path group has two IP addresses to track, and the failure condition is all.   In one path group, if neither IP address is reachable, then that path group fails, and triggers a failover.      
View full article
pankaku ‎10-19-2015 05:26 PM
30,471 Views
19 Replies
1 Like
Overview This document describes how to configure High Availability (HA) on a pair of identical Palo Alto Networks firewalls. Note: This document does not address configuring HA for PA-200 devices.   Steps Configure First Device Go to Network tab > Interfaces. Notes: The HA links should look similar to the following screenshot. Confirm the planned HA links are up. Configure both interfaces to be Interface Type HA. Skip this step if configuring a pair of PA-3000, PA-4000 or PA-5000 Series devices. All other firewalls, including VM-Series, require specific ports to be configured as type HA. Go to Device tab > HIgh Availability > General. Notes: Locate the setup section. Click on the gear cog to view/edit the settings. Enable HA. Enter a group ID that matches both members. Enter an IP address for the Peer's Control LInk. This will be used in the next step. Enable Config Sync. The cluster ID is used when creating the virtual MAC for L3 instances. When more than one cluster is on the same L2 network, the ID must be different on each cluster. The Peer HA IP Address (Control Link) can be any IP address that isn't being used currently in the network. It is recommended to add a Backup Peer HA IP Address if there are enough free ports. From the General tab, locate the Control Link section and click on Primary. Notes: Choose the first HA interface to be used for the first device's Control Link. Ener an IP address that is on the same subnet as the Peer HA IP address, configured in step 2. If the Control Link is not directly connected to the other firewall, you may want to enable encryption (AES-256). If the Control Link IPs are on separate broadcast domains, only the gateway needs to be configured, otherwise it's not needed. From the General tab, locate the Data Link section and click Primary: Notes: Transport Methods Choose the other HA interface to be used for the Data Link. Configure the IP information for the Data Link. Ensure the Enabled box is checked. Ethernet: Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261). IP: Use when Layer 3 transport is required (IP protocol number 99). UDP: Use to take advantage of the fact the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281). From the General tab, locate the Election Settings section, and click the gear cog: To specify one of the firewalls as active, enable Preemptive on both firewalls and set the Device Priority. The device with the lowest Device Priority is the active device. To learn about all of the other settings here, click the ? in the top right corner for detailed explanations. When state synchronization is enabled; the session table, forwarding table, ARP table, and VPN Security Associations (SAs) are copied from the active device to the passive device over HA2.  When the passive device takes over, existing sessions will continue. If the devices have IP connectivity between the management IPs, it is recommended to enable the Heartbeat Backup, which send pings over the management interface. Commit the configuration. At this point, any Layer3 interface gets a new (shared) MAC address, and multiple gratuitous ARPs are sent out to each layer3 interface informing the attached switches of the new IP/MAC combination. Confirm the HA is active on the local firewall. The firewall’s status should show active and the other values should be unknown, as shown below: Go to the Dashboard tab. Add the High Availability widget. Widgets > System > High Availability. Configure the Peer Device. Refer to step 1, ensure the Peer device has two HA links configured to communicate to the first device’s HA links. Go to the setup section of the Peer Device and enable HA. Refer to step 2. Assign the same cluster ID as on the other device. Enter the IP address assigned to the other firewall’s Control Link. Enable Config Sync. From the General tab, locate the Control Link section and click on Primary. Note: If encryption is enabled on the First device, enable it here as well. Choose the first HA interface to be used for the Second Device’s Control Link. Enter an IP address that is on the same subnet as the Peer HA IP address configured in Step 8. From the General tab, locate the Data Link section and click on Primary: Choose the other HA interface to be used for the Data Link. Configure the IP information for the Data Link. Ensure the Enabled box is checked. Ensure the Transport drop-down matches the first device’s configuration. Replicate the settings on the First device with the exception of enabled Preemptive on the First device: For this configuration, Preemptive is off. Enable Preemptive. Configure the priority field. A higher number means lower priority. Commit the changes on the Second device: Go to the first device. Ensure it still shows as active and it sees the peer device as passive. Ensure all dynamic updates are synced. In this example Antivirus and GlobalProtect are not synced. Update as needed so everything matches, as shown below: Once everything matches on both devices, go to the active member's Dashboard tab and click Sync to peer. It should say synchronization in progress. Go to the second (passive) device's CLI and check the HA sync process by running: > show jobs all The first two attempts failed. Determine and fix the cause of the failure. To get more details on the failed job, run: > show jobs id <id number of the HA-Sync job> The first sync failure is ID 13. There is a security rule on the passive device named “Samir” that’s causing the HA-Sync process to fail. The rule is a shared rule from a previous Panorama configuration. Delete the rule and run the Sync to peer again from the Active Device’s Dashboard tab. The job finished successfully this time: High Availability is configured. Configure Link Monitoring and Path Monitoring (optional): Device tab > High Availability > Link and Path Monitoring tab. In this example, monitoring all links. This means, if any link state goes down on the active device a failover occurs. In this example, Path Monitoring is not configured. Click the “?” button, in the top right corner of the Link and Path Monitoring tab, to read about Link Monitoring and Path Monitoring.   owner: jseals
View full article
panagent ‎09-14-2015 07:30 AM
122,258 Views
10 Replies
2 Likes
Issue Heartbeat backup is enabled on two devices configured for High Availability, but the status on the WebGUI dashboard is showing as "down":   Cause This behavior may be seen if the peer IP is not included in the permit list on Management Interface.   Resolution Go to Device > Setup > Management > Management Interface Settings and add peer IP for heartbeat backup if there is a permit IP list configured, as shown below:   owner: saryan
View full article
saryan ‎09-09-2015 01:24 AM
9,680 Views
2 Replies
3 Likes
Palo Alto Networks firewalls can be configured to send SNMP messages based on the severity associated with the event but not specific events. Example of Failover System messages: HA State changes are Informational severity events so in order for those messages to be sent to the SNMP server, the firewall needs to be configured to forward Informational severity messages. Note: This does imply that all informational messages will be sent to the SNMP server, not only the failover messages. It will be up to the SNMP server to filter the messages and alert only when an HA state change happened.   To enable SNMP forwarding of Informational messages, Create an SNMP trap server profile and use this SNMP trap server under the system log settings as shown below:   Create the SNMP Trap Server provile (Device > Server Profiles > SNMP Trap) Configure log settings to use SNMP (Device > Log Settings > System)   owner: kprakash
View full article
kprakash ‎09-03-2015 04:04 AM
5,711 Views
0 Replies
Overview This document contains steps to configure a combination of Panorama and Log Collectors in High Availability mode. Steps On the primary Panorama (active): On the primary Panorama (active), use the following CLI command to set the Panorama-server, which should be the IP address of the secondary panorama: admin1# set deviceconfig system panorama-server <ip address of secondary panorama> Commit the change. On the secondary panorama, use the following CLI command to set the Panorama-server, which should be the IP address of the primary panorama: admin1# set deviceconfig system panorama-server <ip address of primary panorama> . Commit the change. On the GUI of primary Panorama: Add the two log collectors and add the disks to each log collector. Select the log collector which is in the secondary Panorama. In the general tab, put the primary Panorama IP address into the Panorama Server IP field and the secondary Panorama IP address into the Panorama Server IP 2 field. In the management tab, put the secondary Panorama IP address/Netmask/Default address into the corresponding fields. Create collector group(s), and add the log-collectors to the group(s). Commit the changes to the Panorama and wait until the HA-sync is done. Push the config to the collect-group(s). In the High Availability setting, disable the primary Panorama so the secondary Panorama will become active. On the GUI of the secondary Panorama: Select the log collector in the primary Panorama. In the general tab, put the secondary Panorama IP address into the Panorama Server IP field and the primary Panorama IP address into the Panorama Server IP 2 field. In the management tab, put the primary Panorama IP address/Netmask/Default address into the corresponding field. Commit the changes to the Panorama and wait until the HA-sync is done. Push the configuration to the collect-group(s). Restore the Panorama HA back to the desired state. owner: mbutt
View full article
mbutt ‎10-16-2014 05:03 PM
14,263 Views
5 Replies
2 Likes
Issue In an active/active HA deployment with aggregate interface (AE) as an HA3 link with a Cisco switch between the HA interfaces, the Palo Alto Networks firewalls will send traffic over all member interfaces of the aggregate interface (up to 8 interfaces). However, the Cisco switch will send traffic over only one physical link. This scenario will cause a link saturation in the transmit (TX) direction on the Cisco switch. Cause All traffic going over the aggregate HA3 link will only use one source MAC address and one destination MAC address. Because the Cisco switch does not support per-packet load balancing, this means that it is impossible to load balance traffic over all physical interfaces (direction from Cisco switch to Palo Alto Networks firewall). Resolution Reconfigure the Cisco switch and put every member of the aggregate interface (up to 8) in a different VLAN. This will allow the switch to distribute traffic over all aggregate member physical interfaces (TX direction on Cisco switch). owner: npoprzen
View full article
npoprzen ‎06-04-2014 07:12 AM
11,491 Views
2 Replies
Details A factory reset is to be performed on a Panorama managed Palo Alto Networks firewall that is in a High Availability (HA) cluster. This document describes the steps to restore the firewall to its original configuration and managed by Panorama without creating an outage. Steps Before a factory reset of the firewall, make sure that the peer has taken over the 'Active' role. This can be achieved by suspending the problematic firewall using the following command: > request high-availability state suspend After a factory reset, configure the management interface settings using the following command: > configure # set deviceconfig system ip-address <ip address> netmask <netmask> default-gateway <default gateway> dns-setting servers primary <DNS ip address> service disable-https no disable-ssh no # commit Log into the firewall web UI and go to Device > Licensing. Then, update the licenses on the firewall. Configure the HA settings under Device > High Availability. During the configuration, make sure that the device's priority is set higher than its peer. Connect the HA cables (if disconnected), and commit the configuration. Allow the device to initialize and take the 'Passive' role, since it has a higher device priority. [  Note: If the firewall's local configuration is referencing an object or a template settings such as locally configured security policy referencing a log forwarding profile pushed from Panoroma or locally configured log forwarding profile referencing a syslog server profile which is pushed from Panorama then performing a commit on the device will throw validation error like below. In order to avoid this from happening . Load the config in the local firewall but do not perform commit, then initiate a commit from Panorama for this device as below. ]     5.Configure Panorama settings under Device > Setup > Management > Panorama Settings. Make sure that Panorama Policy and Objects, and Device and Network Templates are enabled as shown below:     6. Commit the configuration and allow some time for Panorama to reconnect to the the firewall on port 3978. This can be verified under Panorama > Managed device.     7. Once the device shows connected, push the Template and Device Group configuration on the 'Passive' firewall. Make sure to check Include Device and Network Templates.       The configuration should get committed and be 'In sync' with the Panorama, as shown below:     8. Once the firewall is 'In sync' with Panorama, synchronize the configuration from the active firewall to the passive firewall using the following command:     > request high-availability sync-to-remote running-config Steps 7 and 8 will ensure that the passive device ends up with a merged configuration (local + panorama-pushed). Note: The high-availability state between peers can be changed as desired. owner: kadak
View full article
kadak ‎05-22-2014 04:31 PM
8,701 Views
1 Reply
With a pair of Palo Alto Networks devices in HA configuration, Link Duplex, and Link Speed on an interface do not synchronize from the Active to Passive device on a commit operation. Details The screenshot below shows the current state of ethernet1/5 interface on the Active device: The current state of ethernet1/5 on the Passive device is shown below: On the Active device, the following changes are performed on ethernet1/5: Link Speed changed to 100, Link Duplex changed to full Link State changed to up The changes are committed and verified on the Active device: Configuration differences between Active and Passive devices can be seen on the Config Audit (at Device > Config Audit) page of the Active device. A comparison between the Running config and the Peer Running config shows that the Link Duplex and Link Speed on an interface do not sync to the passive device on a commit (see screenshot below). owner: gcapuno
View full article
gcapuno ‎10-18-2013 01:17 AM
6,172 Views
0 Replies
Overview Yes, the HA3 interface on an HA (High Availability) Active - Active setup can be connected through a Layer 2 switch between the HA pair. However, a switch supporting jumbo frame is required. Note: Jumbo frame support does not explicitly need to be enabled on the Palo Alto Networks firewall, as the HA3 interface supports jumbo frames independently of the system configuration. Details In a High Availability (HA) configuration, HA3 uses L2 between the firewalls. The firewall will add 18 bytes to the frame. Without support for jumbo frames, network traffic with frame size over 1514 may get dropped by the switch and the traffic will fail. The 18 bytes that make up the total extra overhead consist of: 6 bytes for the dest mac of the peer HA3 port 6 bytes for the src mac of HA3 port 2 bytes for the protocol number 4 bytes for an essential private field owner: ppatel
View full article
ppatel ‎08-12-2013 01:26 PM
6,435 Views
0 Replies
Issue The active to passive configuration synchronization is failing between the HA pair of Palo Alto Networks devices. Cause The issue may be caused by an Jumbo Frame settings mismatch. On the passive firewall,  check the status of the HA-SYNC job: > show jobs id 280 Enqueued ID Type Status Result Completed -------------------------------------------------------------------------- 2013/03/20 11:59:35 280 HA-Sync FIN FAIL 12:00:01 Warnings: Details:device: device is not in jumbo-frame mode but interface ae1.518 mtu is greater than 1500 interface configuration error Commit failed The HA-Sync error message, as shown above, indicates the problem. Resolution Configure both active and passive Palo Alto Networks firewalls to have Jumbo Frame setting enabled. For the example above, the passive firewall needs to have the Jumbo Frame enabled. Go to Devive > Setup > Session In the Session Settings section, check the Enable Jumbo Frame option. A device reboot is required for the changes to take effect owner: jlunario
View full article
pagmitian ‎03-25-2013 10:42 PM
10,553 Views
0 Replies
Issue High Availability (HA) config sync will synchronize the running configuration, but the actual HA settings are not synchronized. If using HA Path Monitoring, the options are to add a Virtual Wire, VLAN, or Virtual Router that will be monitored. When you change the name of a Virtual Router used by the HA Path Monitoring setting on the active device, the Virtual Router change on the device is made but the HA Path Monitoring will still reference the old Virtual Router name. Resolution To fix this sync issue: On the passive device, go to Device > High Availability > Link and Path Monitoring Change the Virtual Router name to the new name. It will be available from a drop-down list of all Virtual Routers Commit the change and wait for the commit to finish On the active device, sync the configuration manually or wait for the sync settings to automatically sync To do a configuration sync: - On the dashboard in the High Availability widget, click the Sync Config link - In CLI, enter the command: > request high-availability sync-to-remote running-config owner: gwesson
View full article
gwesson ‎09-13-2012 04:02 PM
6,188 Views
0 Replies
Steps To create a backup to the HA link: Select an available data port and change it's type to HA Go to Device > High Availability > Control Link and configure the backup port The same procedure can be used to configure a backup to the HA2 port owner: sdarapuneni
View full article
zarina ‎08-10-2012 10:09 AM
3,729 Views
0 Replies
P alo Alto Newtworks Tech Support recommends disabling the State Synchronization feature on the active device first. Then disable this feature on the passive device. If you disable this feature on the passive device first, it will cause the active to become non-functional and initiate a failover. owner: panagent
View full article
panagent ‎01-13-2012 10:08 AM
3,360 Views
0 Replies
This document gives step-by-step instructions for configuring and testing OSPF using Palo Alto Networks devices in both an Active/Passive and Active/Active scenario. The configuration examples were performed on devices running PAN-OS 4.0. For a similiar tech note on BGP, look here: Tech Note: How to Configure BGP owner: tlozano
View full article
Teresa ‎10-17-2011 01:52 PM
59,003 Views
0 Replies
2 Likes
Overview Depending on the network design, it may be necessary to change the default heartbeat timer. Details A "heartbeat-interval" CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link.The peer kernel responds directly to the ICMP ping and is not subjected to the possibility of scarce resources slowing the hello protocol. The default value of the heartbeat interval is 1000ms. However, due to different reasons it is possible to change this value. PAN-OS 5.0 > configure # set deviceconfig high-availability group <1 - 254> election-option heartbeat-interval <1000 – 60000> # commit PAN-OS 6.0, 6.1 and 7.0 > configure # set deviceconfig high-availability group 3 election-option timers advanced heartbeat-interval <1000 – 60000> # commit See Also High Availability Failover Optimization What are the HA heartbeat and hello messages? owner: mdjeric
View full article
nrice ‎05-10-2010 03:11 PM
4,208 Views
0 Replies
Ask Questions Get Answers Join the Live Community