Change management ip of cluster nodes.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Change management ip of cluster nodes.

L4 Transporter

Hello,

 

We have 3200 series HA cluster .

 

The requirement is to change the ip addrrss of management interface of both the nodes.

( Note we are not changing the ip address of panorama )

 

All the required rules and routes are in place .

Can we change the ip address remotely while still logging through the management interface ( old ip).

 

Via the command line if we change the ip and gateway ( via a single command)  , we may get the disconnect ion momentarily ? But if everything else seems to be in place like proper port settings and routing etc to reach new management range , it should work ?

 

We want to avoid going to DC as of restrictions .( For console access)

 

Can anyone suggest a way to change the managment ip of cluster nodes remotely? Which node to do first secondary ?

 

Also after changing the node managemebt ip addresses, what change we have to do in panorama to reflect new ip addresses ? 

 

If anyone has procedure pls share 

1 accepted solution

Accepted Solutions

Hi @FWPalolearner ,

 

There is a lot of comments, not sure if I get everything but:

- What version is your FW and Panorama? If you are running 9.1 you probably can rely on the feature Automated Commit Recovery We still run on 9.0 so I haven't test this feature, but in theory this show work great for your case:

1. Enable the autmatic recovery

2. Push the new mgmt IP from Panorama. If there are any issues with the new mgmt FW will loose access with Panorama and the recovery process should kick in.

 

- In general you don't have to do anything on the Panorama once you change FW mgmt IP. This is because the Panorama is using serial number to track the FWs. When you configure FW with panorama IP, it will attempt to register to Panorama. By default panorama will accept any source IP and will try to establish the TCP/SSL connection, it will ask for SN and if the provided SN is already added to Panorama it will accept the fw request and complete the registration. So in your case once you change the mgmt ip, the fw will generate new tcp session with the new source, panorama will establish this session and will see that the SN is the same as the one already registered and will automatically update the IP under the "manage devices"

 

Similar to the FW you can configure permit IP list to specify which IP address are allowed to connect to Panorama, if nothing is defined panorama will accept anything. So if you have anything configured under the permit ip, make sure you have included the new mgmt ip/range

 

- You cannot ssh to member over the HA link. Even if you receive password prompt, the firewall will not allow you to connect.

 

- As falback you can configure the the mgmt profile to dataplane interface. Indeed for HA cluster you will be able to connect only to the active member. But this should be enough as falback:

1. Assign mgmt profile

2. Connect to active FW, fix the mgmt ip

3. Suspend FW to cause failover

4. Reconnect to mgmt profile IP, which now will connect you to the secon FW

5. Fix mgmt IP on secondary device

 

 

- I believe @OtakarKlier was trying to say - check your HA config and make sure you don't use the mgmt IP  for HA1. If you do and you don't have backup HA1 you will have split brain once you change the FW mgmt IP on one of the members.

View solution in original post

16 REPLIES 16

Cyber Elite
Cyber Elite

Hello,

Prior to doing this, I would recommend you configure another interface and give it a management profile. Test the new one prior to making any changes to the main one. This way if you lose the main management ports, for what ever reason, you wont lose access to the devices. You can always remove the management profile after all your changes have been made, successful. I do this on all my firewalls so that I have secondary access if needed, but I also restrict who/what can connect to the secondary interface.

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profi...

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/use-interf...

 

 

Hope that helps.

Hello @OtakarKlier  thanks for your reply.

 

I currently have many subinterfaces and I can make management profile to any of them but those are fw interfaces shared by cluster .how do I access firewalls individually even if I configure management profile on any of the existing subinterface

Hello,

Check you the links I posted. You can restrict access by source IP/Subnet. If its in a different zone, you can use a security policy to limit source/destination and even by username. Also remember that you have to have an account on the PAN in order to be able to access it.

 

Hope that helps.

Hi,

 

I understand that we can restrict via source IP address.

 

The point here is if I use one of traffic interface/ subinterface as the management ,I can only access one box of the cluster as there are no two different addresses of traffic interfaces .

Hello,

You are correct. While a bit risky you can try the following:

 

1. setup secondary management interfaces.

2. perform the changes (this would be PAN-A in the cluster)

3. verify the changes

4. failover to the secondary (this would be PAN-b in the cluster)

5. perform the changes

6. verify the changes

7. either fail back or run like this

 

Just a thought.

 

Ok thanks .Yes it can be one of the solution .the only point is to do failover 🙂

 

My gut feeling says that after changing the ip addrsss to new one and doing " commit"

We will momentarily loose the access but it should work with new address after that 

 

 

 

Hello,

Not if using the secondary management port to make the change. Use it instead of the primary one since it wont change.

 

Hope that makes sense.

 

Regards,

I don't understand your last point

If you are connected to the secondary Management interface, then since its IP is not changing, you should not lose connectivity. Also place the standby unit into suspended state so a fail over does not happen, depending on your HA configuration. Then once primary is changed, change the secondary and make sure HA is working.

Iwas thinking if we can make use of sync Interface.

 

1)Login to active firewall 

 

2) login(ssh) to sync ip of passive firewall and change the mgmt ip of passive. 

3) login to passive fw with new ip. Ssh to sync ip of active fw .change the mgmt ip.

 

 

Hello,

I dont recall if a HA sync interface can be sshed into, if yes, then I say go for it as its a similar principle. Just make sure you know your HA policies in and out as not to cause a failover or split brain.

 

Regards,

Sure I will also check.

 

Just one point , changing mgmt ip using sync Interface does not impact HA as it is a local config so there is no point of HA issue or split brain.

 

 

I tried to access via Sync port its not working ( ssh)

 

This is strange as my HA interfaces have an IP address but ssh it not working

Last question ,

 

Once IP address of Management Interfaces on both nodes is changed , what we have to do in Panorama

 

Does Panorama recognise the new IPs automatically ( rules are open between  Panorama and FW  new management IP address )

 

Do we have to do anything in template or Device Groups ?

  • 1 accepted solution
  • 9687 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!