Moving from a single PA500 to HA pair of PA820

Reply
L6 Presenter

Re: Moving from a single PA500 to HA pair of PA820

1) No benefits, l know it adds only complexity through l never done it before. Only useful as a temp fix while you dealing with the asymmetric routing on the network.

2) Keys and certs will be migrated (keys are encrypted with the master key on palo)

L4 Transporter

Re: Moving from a single PA500 to HA pair of PA820

@CTaveras Just be aware that PAN-OS 8.0.x is the minimum OS version for the new platforms 220, 800 series and 5200 series.

 

Other than that, I agree with some of the other comments such as:

1. Be aware of potential proxy arp configuration on upstream routers. it may break the NAT functionality. If you have static or proxy arp on upstream routers make sure to remove it before starting to test especially the NAT rules.

2. Make sure to configure the Active/Passive Settings as Auto instead of Shutdown. The reason for that is because in the shutdown state, upstream and downstream devices connected to the passive device will not see a valid path until the passive firewall becomes active. That may be a little frustrating because the failover may be delayed a few seconds longer, which may be unnaceptable for some businesses.

Screen Shot 2017-06-02 at 9.17.21 AM.png

 

3. Also be aware of the preemption feature. If your firewalls are connected to two different ISPs and both have different bandwidths, typically you want the firewall connected to the higher bandwidth to always be the Active firewall in the HA pair. In this case you may want to enable the preemtion feature and configure a timer on it.

 

For more advises on HA optimization and configuration please refer to the following document: 

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/543/2/HA_Failo...

 

I hope this helps.

L1 Bithead

Re: Moving from a single PA500 to HA pair of PA820

We will def have 2 ISP but using both simultaniously.

 

Some one mentioned something about Virtual MAC when in HA...I assume that was for the External interface?

 

What about the Trusted port does that also get a Virtual MAC?

L4 Transporter

Re: Moving from a single PA500 to HA pair of PA820

@CTaveras If you want to utilize both links simultaneously one of the options you have available is to enable the ECMP feature. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-... The ECMP allows you to specify up to 4 route paths with the same cost (metric) while applying Load Balance algorithms such as Round Robin for load distribution.
L1 Bithead

Re: Moving from a single PA500 to HA pair of PA820

@Willian I notice that although I set the Passive link state on the Active FW to Auto, the Passive has not sync'd this change.

 

Is this expected behavior or does the passive device also need this setting?  I read the Doc you linked and it doesnt mention anything about the passive device.

L6 Presenter

Re: Moving from a single PA500 to HA pair of PA820

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!