Break up Active/Passive HA Cluster

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Break up Active/Passive HA Cluster

L0 Member

Hello,

 

we have a PA-3020 Active/Passive HA Cluster.

 

Because of cost cutting I have to break up our cluster and just use one of the firewalls as standalone. The thing is, the license of the passive firewall will last longer than the one from the active. The goal is to use the passive firewall as standalone and to factory reset the active so it can be used as cold spare ... or you know, as paperweight.

 

Is this the right procedure to break up the Active/Passive HA Cluster correctly and use the passive as standalone firewall:

- Config Backup from active and passive

- Disable preemptive failover

- Manual failover to the passive firewall so that it becomes the active

- Shut down the formerly active (now passive) firewall

- Disable Config Sync and disable HA

- Commit the configuration

- Strip the HA links between the firewalls and everything else from the formerly active (now passive)

- Factory reset the formerly active (now passive) firewall (via direct connection Notebook <-> Mgmt port firewall)

- Pray there are no problems in the future

 

Is this correct or is there another/better way to do this?

 

Best regards,

J. Veentjer

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Veentjer ,

 

Yes, that is the correct way to do it.  Technically, you can skip step #2, "Disable preemptive failover".  It is not needed.  When you suspend a NGFW, it will not preempt.  I would replace it with "Install the dashboard system HA widget and verify the config is synced between the HA pair" before failover.

 

You mentioned the word "cluster" which threw me off for a second.  Clustering is a different technology in which all NGFWs are considered active.  I just mentioned that to confirm we were talking about a standard HA pair.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @Veentjer ,

 

Yes, that is the correct way to do it.  Technically, you can skip step #2, "Disable preemptive failover".  It is not needed.  When you suspend a NGFW, it will not preempt.  I would replace it with "Install the dashboard system HA widget and verify the config is synced between the HA pair" before failover.

 

You mentioned the word "cluster" which threw me off for a second.  Clustering is a different technology in which all NGFWs are considered active.  I just mentioned that to confirm we were talking about a standard HA pair.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@Veentjer,

Just going to throw out that if this is solely for cost savings and you would like to have a warm spare that's ready to take the active's place if it fails (minus license transfers) you could keep a management IP active on the disconnected firewall and use a script to automatically keep things up-to-date in the event a change is ever needed.

I've had some clients want to do this to save costs in the past, and what I did was create a script that exported the configuration from the active firewall and simply replaced everything in deviceconfig for the spare unit. This ensures that the spare unit is always ready to effectively take the active units place in the event that it's ever needed. 

Cyber Elite
Cyber Elite

Hello @BPry 

Would you mind posting the sanitized script? Not looking to do this, however I'm sure someone else might?

 

Regards,

L0 Member

Hey @TomYoung,

 

thank you very much for your input and the confirmation. And also thank you for the clarifying part about a pair and a cluster - never thought about that, but you are correct.

 

@BPry, I would also like to know what kind of script you are talking about. Can you elaborate more?

 

Best regards,

J. Veentjer

Cyber Elite
Cyber Elite

I'll work on actually putting this into one script that is sanitized and doesn't have any abnormal dependencies specific to any set environment or anything like that. Likely won't have time to get to this until this weekend.

 

Essentially the only thing that the actual script needs to do is take the configuration from the "primary" firewall and replace everything between <deviceconfig> and </deviceconfig> and replace it with the copy meant for the "backup" firewall.

The way that I've chosen to do this is using the configuration file as a jinja template and merging the stored "backup" deviceconfig file to create a full and working configuration file. Then you simply upload the updated configuration file to the "backup" device and it has the updated configuration from the "primary" firewall on a daily basis. 

 

Configuration File Example:

      <deviceconfig>
        {% include [deviceconfig] %}
      </deviceconfig>

 Render Example

from jinja2 import Environment, FileSystemLoader
output_file = ('/tmp/new-config.xml') #Rendered file output#
log_collector.debug("Setting output_file variable: " + str(output_file))
file_loader = FileSystemLoader('/Palo-Alto/Configurations/PA-5220/Jinja2/') #Where are the files#
log_collector.debug("Setting FileSystemLoader: " + str(file_loader))
# Load Environment #
env = Environment(loader=file_loader)
log_collector.debug("Utilizing template Config-Files/Palo-Alto/Configurations/PA-5220/Jinja2/deployed-config.xml")
template = env.get_template('deployed-config.xml') #Gathers Template File#
# Render #
log_collector.debug("Rending template: deviceconfig variable: 'backup-firewall/deviceconfig.xml'")
output = template.render(deviceconfig='backup-firewall/deviceconfig.xml') #Renders the template#
save_file_f = open(output_file, 'w')
save_file_f.write(output)
save_file_f.close()

 

The thing to keep in mind here is that you won't want to have anything plugged into the "backup" firewall dataplane unless you have those associated interfaces shutdown. Replacing the deviceconfig will allow you to maintain management access to the "backup" firewall while keeping the relevant configuration updated. You'd also want to ensure the master key is the same between both units, but since you'd be breaking HA that'll already be the case.

  • 1 accepted solution
  • 3849 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!