HA Active/Passive Management Design

Reply
Highlighted
L3 Networker

HA Active/Passive Management Design

I am testing out and setting up two PA-2020 in a HA Active/Passive setup for eventual use in our production network.  I am testing this outside of our current network infrastructure to ensure I understand the complete setup processes. I had a couple design questions regarding this setup.

As of now I have two zones, WAN and LAN enabled on both firewalls. I’ve enabled two ports for HA on both firewalls and have connected them with crossover cables. Both WAN cables are running into a switch, and both LAN cables are running into another switch.  I’ve been able to get HA working, but had a question about how to manage both PAN FWs separately, since the interfaces on one is inactive in the passive state.  Currently both management ports are set to the default IP and subnet, but I was wondering if I can assign the management port in the same subnet as the LAN network to manage the firewalls independently. In order to suspend firewalls for PAN OS upgrades can I manage both firewalls at the same time in this manner?

I’m a little bit new to firewalls, and even newer to PANs and wanted to make sure I understood the setup behind this.  Thanks for all your help.

Any other thoughts or tips would be awesome, too!  Thanks!


Accepted Solutions
Highlighted
L6 Presenter

Yes there is a dedicated mgt port on each PAN firewall and you can assign a LAN's IP address to the mgt port.  Each firewall should be given a different IP address for its mgt port.  Thanks.

View solution in original post


All Replies
Highlighted
L5 Sessionator

The interfaces on the passive device will be inactive. You can manage both the active and the passive box through the management ports which remain active irrespective of the HA state. You will still have access to both the boxes during upgrade if you use management ports.

There is a specific procedure to be followed during upgrade to ensure minimal downtime. These document walks you through the process:


The procedure is the same irrespective of the PANOS to which you want to upgrade from/to.


Highlighted
L6 Presenter

Also, if you're deploying the PAN firewalls in L3 mode, the passive LAN & WAN interfaces can be set to auto and these interfaces on the passive PAN can be in an up state.

Highlighted
L3 Networker

Per my original question, can the management ports be subnetted to my LAN zone with an IP address that I can access from the LAN zone - instead of having to walk into my Data Center with two laptops to manage the firewalls.  This will also be particularly important as I will need to manage two additional firewalls at a second location via a IPSec tunnel.

Highlighted
L6 Presenter

Yes there is a dedicated mgt port on each PAN firewall and you can assign a LAN's IP address to the mgt port.  Each firewall should be given a different IP address for its mgt port.  Thanks.

View solution in original post

Not applicable

Anyway I could get access to these docs?

Highlighted
L6 Presenter

You mean ? It works for me so I guess it should work for you aswell to access that url?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!