forming firewall HA in a panorama managed environment

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

forming firewall HA in a panorama managed environment

L2 Linker

we have a panorama managed firewall and we push objects from panorama to it . we are considering to make a HA firewall setup . as per articles from PaloAlto , Panorama objects are not being synchronized.

Question 1 : Should we add secondary firewall to Panorama prior to forming HA cluster and ensure it's completely synced up ?

Question 2 : Is there any other concerns that we need to be aware for this scenario ( forming firewall HA with a panorama managed device )

1 accepted solution

Accepted Solutions

The HA sync should add the VSYS'es onto the passive PA, and Panorama will see the new VSYS'es of the passive PA.  You then need to add these VSYS'es of the passive to the device group(s) within Panorama.  Once the VSYS'es are in device group(s), you can push Panorama objects & policies to the passive.

View solution in original post

7 REPLIES 7

L6 Presenter

@akhalighi wrote:

we have a panorama managed firewall and we push objects from panorama to it . we are considering to make a HA firewall setup . as per articles from PaloAlto , Panorama objects are not being synchronized.

Question 1 : Should we add secondary firewall to Panorama prior to forming HA cluster and ensure it's completely synced up ?

 

If you plan to configure the HA settings from Panorama & push to the 2nd firewall, then you should add the 2nd PA to Panorama 1st and define a template for the 2nd PA.   If you plan to keep the HA setting local to the PA, then you can do it either way.

Question 2 : Is there any other concerns that we need to be aware for this scenario ( forming firewall HA with a panorama managed device )

 

You need to put both PAs into the same device group so they can have the same shared policies.  You can commit to each PA one at a time or select both when committing from Panorama.  

 

If the PAs are in A/P HA and their network settings are the same, you may want to put both in the same template assuming the mgmt & HA settings are set locally at the PA.  Or you can put each PA in its own template and assign every settings within the template.

 

 


 

Thanks

 

This is going to be an Active-Passivesetup with Active running some VSYSs.

in our scenario panorama pushes objects to VSYSs on Active firewall . do we still need to add all VSYSs on passive PA to receive objects from Panorama ? Or objects will be replicated as part of VSYS syncronization ?

With multi VSYS running, each VSYS is considered to be a firewall by Panorama.  For example, we have 5 VSYS'es defined and Panorama will detect 5 firewall instances (10 firewall instances in the case of HA).  Typically, we will define 5 device groups, 1 group for each VSYS with a pair of A/P firewalls in each group. 

 

You will need to to commit to the passive to push the objects from Panorama.  Panorama commits are not sync to give us the flexibility to commit to 1 PA or to both.  Also, there is no VSYS sync but rather the sync is done with HA process. 

Thanks . so to be clear , If I have two VSYSs ( VSYS1 and VSYS2) on Active PA and I form a HA cluster ; these two VSYSs will be craeted on passive node durinf first configuration Sync  but I have to add them to Panorama to receive the objects . Is that right ?

1st you will need to manually enable Multi-VSYS on the passive.  Then if the VSYS'es are defined locally on active PA, you can perform an HA sync and the configuration of the VSYS will sync to the passive.  If you are using template in Panorama to define the VSYS'es, then you need to perform a template commit to push the VSYS config to the passive.

 

Hope that helps.

Thanks . VSYSs are defined locally but they receive objects ( address objects and service objects ) from Panorama . so I guess after HA Sync , we need to add VSYSs on Passive PA to Panaroma and push Panorama objects to them ?

The HA sync should add the VSYS'es onto the passive PA, and Panorama will see the new VSYS'es of the passive PA.  You then need to add these VSYS'es of the passive to the device group(s) within Panorama.  Once the VSYS'es are in device group(s), you can push Panorama objects & policies to the passive.

  • 1 accepted solution
  • 3857 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!