02-25-2016 02:59 AM
Hi - looking to make some changes to the HA configuration between 2x PA 5000s.
First change: an HA3 link to an AE link on different interfaces in an A/A pair of 5000s.
I'm wondering if there is a procedure anywhere for this? What would happen to an A/A pair if HA3 were to be reconfigured by panorama? Connections are already in place just need configuring.
Is it recommended to remove Active/Active during the configuration? Is there a procedure for that anywhere 🙂
Any help would be greatly appreciated.
Thanks
Sam
02-25-2016 05:38 PM
This is a non-standard change so I don't think you will find it documented. And I suspect this will be service affecting and / or require suspending a node in the cluster.
For these types of activities, I generally open a support case. This way the MOP can be reviewed by some senior engineers and the outage scenario fully understood.
PA will also schedule a time to be live with you on a call from TAC during your maintenance window for these types of changes. This speeds the process and has them on standby if the MOP does not work out for some reason.
02-25-2016 07:52 AM
What is your reason for using A/A? Asymmetric routing or Palos connected to another firewall cluster or something else?
HA3 is used to transmit packets between firewalls.
All packets belonging to same session are analysed by same firewall. If packet comes to firewall and session owner is other firewall then HA3 is used to pass packet over.
If you disconnect HA3 then you will disturb your connections anyway.
If you don't have specific requirement to have both boxes running all the time then suspend one and see if you can change HA3 interface.
If not then disable HA temporarily and make your change.
02-25-2016 05:38 PM
This is a non-standard change so I don't think you will find it documented. And I suspect this will be service affecting and / or require suspending a node in the cluster.
For these types of activities, I generally open a support case. This way the MOP can be reviewed by some senior engineers and the outage scenario fully understood.
PA will also schedule a time to be live with you on a call from TAC during your maintenance window for these types of changes. This speeds the process and has them on standby if the MOP does not work out for some reason.
03-04-2016 01:53 AM
Hi Both thanks for your answers.
I'll probably go down the road of raising a support call to assist in this.
If I learn the procedure, and remember I'll post it back here 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
