I am testing out and setting up two PA-2020 in a HA Active/Passive setup for eventual use in our production network. I am testing this outside of our current network infrastructure to ensure I understand the complete setup processes. I had a couple design questions regarding this setup.
As of now I have two zones, WAN and LAN enabled on both firewalls. I’ve enabled two ports for HA on both firewalls and have connected them with crossover cables. Both WAN cables are running into a switch, and both LAN cables are running into another switch. I’ve been able to get HA working, but had a question about how to manage both PAN FWs separately, since the interfaces on one is inactive in the passive state. Currently both management ports are set to the default IP and subnet, but I was wondering if I can assign the management port in the same subnet as the LAN network to manage the firewalls independently. In order to suspend firewalls for PAN OS upgrades can I manage both firewalls at the same time in this manner?
I’m a little bit new to firewalls, and even newer to PANs and wanted to make sure I understood the setup behind this. Thanks for all your help.
Any other thoughts or tips would be awesome, too! Thanks!
Solved! Go to Solution.
The interfaces on the passive device will be inactive. You can manage both the active and the passive box through the management ports which remain active irrespective of the HA state. You will still have access to both the boxes during upgrade if you use management ports.
There is a specific procedure to be followed during upgrade to ensure minimal downtime. These document walks you through the process:
The procedure is the same irrespective of the PANOS to which you want to upgrade from/to.
Also, if you're deploying the PAN firewalls in L3 mode, the passive LAN & WAN interfaces can be set to auto and these interfaces on the passive PAN can be in an up state.
Per my original question, can the management ports be subnetted to my LAN zone with an IP address that I can access from the LAN zone - instead of having to walk into my Data Center with two laptops to manage the firewalls. This will also be particularly important as I will need to manage two additional firewalls at a second location via a IPSec tunnel.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!