REST API and HA

Reply
Highlighted
djr
L3 Networker

REST API and HA

If I use the REST API to pass user ID mappings from my RADIUS servers into the firewalls, what should I do when they are in an HA pair?

Because I don't necessarily know which with be the active one, should I just write to one and if that fails, swap to the other (will work if they pass user info between them) or do I have to write all updates to both simultaneously to ensure that the active one has the data?

Thanks in advance

Oh, while I am in here, how can I see if it is working?  With the XML API to the server user id agent, there was a log I could query, but I can't see anything similar on the device.

Palo Alto Networks Guru

Re: REST API and HA

User-IP mappings are synchronized between two firewalls if in a HA pair. This needs to be done especially because if one firewall learns an IP address for a user via captive portal or XML-API, the information needs to be synchronized to the other device since the User-ID agent never gets it and can therefore never provide it in case of a failover.  Therefore, as long as both devices are connected and syncing data, you can pick one and it will sync to the other.  The best choice is to choose the Active-Primary device. 

djr
L3 Networker

Re: REST API and HA

Thanks jf, that is great.Do you happen to know how I can see if the XML interface is working, other than seeing users resolved in the traffic logs?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!