Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

Reply
L1 Bithead

Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

Hello everybody,

 

is there any article or best practice document which discribes the configuration of a Palo Alto 3020 Firewall HA-Cluster active/passive while there is already a working stand alone PA 3020 Firewall.

 

Is it the same way I configure a HA-Cluster out of the box? 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/set-up-activepassi...

 

Which parts of the config get synced to the peer and which had to be preconfigured on the secondary node?

Something I should pay attention to?

 

Thanks for your support!

 

Kind regards

L7 Applicator

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

Hello,

The process is the same. The way I have done it in the past was to setup the 'active' one first, in your case it would be the one that is already deployed. I would then also set its 'priority' so something like 10 so it'll negotiate as the 'active'. Then I would setup the 'passive' device per the documentation.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/set-up-activepassi...

 

Hope that helps!

Community Manager

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

even it is very easy to change your deployment from standalone to HA, there is one giant caveat: the firewall's MAC addresses will change into shared MACs, so you will need to flush your arp/mac tables on all connected devices

 

other than that, walk in the park ;)


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

Thanks for your answer!

At which step do you flush the arp tables? After setup of the HA-Cluster?

What means any connceted device? Any virtual machine e.g?

 

And which parameters had to be preconfigured on the secondary firewall (mgmt. ip, dns, ha-config, interfaces, virt. router,...) and which parameters will be synced to the peer by setting up the active/passive HA-Cluster.

Is there any best practice paper or knowledge base article?

 

Thanks for your support!

 

 

Community Manager

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

when you commit the HA config the MAC addresses will change, your routers and switches will benefit most from clearing the cache/reviewing static entries

Hosts will typically ask for MAC information and won't be impacted as much

 

The secondary firewall needs to be configured with a management interface and matching HA config,

It will also need to be set to the identical software version and ideally (optional but strongly recommended) same content/threat/AV/URL filtering versions

After the HA is established, the primary member can copy over mostly all config  (sync to peer)

 

Here you can find what is and isn't synced:  https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/reference-ha-synch...

 

(so in short, you will still need to configure 'system specific' settings like dns, ntp, licensing, content update schedules, HA parameters)

 

There is a best practices space that addresses all sorts of deployments: https://www.paloaltonetworks.com/documentation/best-practices

And there is a best practice on how to upgrade a firewall/cluster https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

 

 


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Upgrading a stand alone PA-Firewall 3020 to a HA-Cluster

Hi reaper,

 

thanks for your feedback, that helps me a lot.

 

Have a nice day!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!