Moving from a single PA500 to HA pair of PA820

Reply
L1 Bithead

Moving from a single PA500 to HA pair of PA820

As the subject states we are single PA500 shop now moving to Dual PA820 in HA.

What can I expect when moving to this type of setup coming from a single FW setup.

Is there anything I need to look out for any "Gotchas"? So far I know I am using 5 copper ports on the PA500 and the PA820 only has 4 so I know I will need a module.  Can anyone think of anything else I may encounter, anything related to Policies, Objects, VPN config anything that you guys can think of.

Tags (4)
Highlighted
L7 Applicator

Re: Moving from a single PA500 to HA pair of PA820

@CTaveras,

I assume that you are going to run in an Active/Passive setup. Not much really changes and there are not really any additional steps that you have to do to keep things working correctly. As far as VPN goes GP clients usually transfer over during a failover even fine, where IPSec site-to-site tunnels that I have generally need a few minutes to re-key with the other unit to start passing traffic again. 

L1 Bithead

Re: Moving from a single PA500 to HA pair of PA820

@BPry

Thank you very much for the response, how does HA handle user traffic passing out if one of the firewalls dies,

Do I need to flush arp anywhere or do they keep session tables to some degree?

L4 Transporter

Re: Moving from a single PA500 to HA pair of PA820

For IP addresses configured on interfaces, you shouldn't need to clear arp due to the firewall performaing gratuitous arp after an HA event. 

Gratuitous arp is not done for NAT addresses so you might need to clear on external routers if you are doing NAT.

 

 

L6 Presenter

Re: Moving from a single PA500 to HA pair of PA820

@rmfalconer Hi,

 

If the Palo has DNAT configured on the external interface for let's say an external range of IPs, it will not send a GARP after failover?

Community Manager

Re: Moving from a single PA500 to HA pair of PA820

@rmfalconer: the PA does proxy arp for IP addresses used in NAT policies

The HA cluster uses a virtual MAC address which is moved over to the active member if there is a failover event, so the GARP will trigger any switches to learn where the MAC is located and any upstream devices will already have a mapping for the NAT addresses to the virtual MAC. if an IP is not known yet, the active member (wether primary or secondary) will simply proxy arp for the IP using the virtual cluster MAC

 

@CTaveras: the HA cluster (via the HA2 interface) shares all information regarding active sessions (tcp sequence, NAT, QoS, content scanning status,...) , so if there is a failover event all sessions are immediately 'active' on the secondary firewall and can continue as if nothing happened


Help the community: Like helpful comments and mark solutions
Reaper out
L6 Presenter

Re: Moving from a single PA500 to HA pair of PA820

Ok so floating MAC address shared between the HA members. All ARP requests for any DNAT IP address that Palo owns will be replied by an active member with its floating MAC address? 

 

 

Community Manager

Re: Moving from a single PA500 to HA pair of PA820

correct

 

- a HA cluster switches to a floating MAC on all interfaces (based on the cluster ID)

- upon HA failover GARP is sent out for all interfaces

- PA performs proxy ARP for any IP used in NAT policies (in case of HA, the floating MAC is shared)

 

 

 

so normally all connected devices will automatically switch everything over to the active HA peer


Help the community: Like helpful comments and mark solutions
Reaper out
L6 Presenter

Re: Moving from a single PA500 to HA pair of PA820

Such a clear answer! Thanks as always

L1 Bithead

Re: Moving from a single PA500 to HA pair of PA820

First thank you all for the info/Insight great info!!

 

A few more quetions

 

1.  Any benefit going Active/Active over Active Passive, Pros and cons?

2.  We have the public and private keys of a trusted Certificate Authority imported into the firewall such that the firewall can issue certificates as that CA.  I’m assuming exporting and importing the config won’t also migrate over certificate information such that we would have redo those configurations on the new firewall.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!