Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

L1 Bithead

Hello everybody,

 

is there any article or best practice document which discribes the configuration of a Palo Alto 3020 Firewall HA-Cluster active/passive while there is already a working stand alone PA 3020 Firewall.

 

Is it the same way I configure a HA-Cluster out of the box? 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/set-up-activepassi...

 

Which parts of the config get synced to the peer and which had to be preconfigured on the secondary node?

Something I should pay attention to?

 

Thanks for your support!

 

Kind regards

1 accepted solution

Accepted Solutions

when you commit the HA config the MAC addresses will change, your routers and switches will benefit most from clearing the cache/reviewing static entries

Hosts will typically ask for MAC information and won't be impacted as much

 

The secondary firewall needs to be configured with a management interface and matching HA config,

It will also need to be set to the identical software version and ideally (optional but strongly recommended) same content/threat/AV/URL filtering versions

After the HA is established, the primary member can copy over mostly all config  (sync to peer)

 

Here you can find what is and isn't synced:  https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/reference-ha-synch...

 

(so in short, you will still need to configure 'system specific' settings like dns, ntp, licensing, content update schedules, HA parameters)

 

There is a best practices space that addresses all sorts of deployments: https://www.paloaltonetworks.com/documentation/best-practices

And there is a best practice on how to upgrade a firewall/cluster https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

The process is the same. The way I have done it in the past was to setup the 'active' one first, in your case it would be the one that is already deployed. I would then also set its 'priority' so something like 10 so it'll negotiate as the 'active'. Then I would setup the 'passive' device per the documentation.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/set-up-activepassi...

 

Hope that helps!

even it is very easy to change your deployment from standalone to HA, there is one giant caveat: the firewall's MAC addresses will change into shared MACs, so you will need to flush your arp/mac tables on all connected devices

 

other than that, walk in the park 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for your answer!

At which step do you flush the arp tables? After setup of the HA-Cluster?

What means any connceted device? Any virtual machine e.g?

 

And which parameters had to be preconfigured on the secondary firewall (mgmt. ip, dns, ha-config, interfaces, virt. router,...) and which parameters will be synced to the peer by setting up the active/passive HA-Cluster.

Is there any best practice paper or knowledge base article?

 

Thanks for your support!

 

 

when you commit the HA config the MAC addresses will change, your routers and switches will benefit most from clearing the cache/reviewing static entries

Hosts will typically ask for MAC information and won't be impacted as much

 

The secondary firewall needs to be configured with a management interface and matching HA config,

It will also need to be set to the identical software version and ideally (optional but strongly recommended) same content/threat/AV/URL filtering versions

After the HA is established, the primary member can copy over mostly all config  (sync to peer)

 

Here you can find what is and isn't synced:  https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/reference-ha-synch...

 

(so in short, you will still need to configure 'system specific' settings like dns, ntp, licensing, content update schedules, HA parameters)

 

There is a best practices space that addresses all sorts of deployments: https://www.paloaltonetworks.com/documentation/best-practices

And there is a best practice on how to upgrade a firewall/cluster https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi reaper,

 

thanks for your feedback, that helps me a lot.

 

Have a nice day!

  • 1 accepted solution
  • 3546 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!