This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
How to set up two HA (active / passive mode) firewalls to be managed by panorama
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- How to set up two HA (active / passive mode) firewalls to be managed by panorama
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
How to set up two HA (active / passive mode) firewalls to be managed by panorama
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-18-2020 01:01 AM
Hi All,
I already have two firewalls to set HA and use Active / Passive mode.
But when I put both devices into the same Device Groups and Templates and push the configuration file to both devices, the HA settings of the second device will be overwritten by the HA settings of the first device.
I saw this "Migrate a Firewall HA Pair to Panorama Management"
It mentioned that it seems to set variables
Please help me.
Thank you!
10 REPLIES 10
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-22-2020 08:50 AM
The setup looks like this:
Besides this, there is only a config for the management interface certificate in the node template.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-22-2020 10:13 AM - edited 01-22-2020 11:41 AM
Thanks for sharing. In this case I will give it another try.
The question now is why does paloalto write in the adminguide that IP addresses of HA firewalls can only be configured locally ... @kiwi do you may have the answer?
Edit: @JoergSchuetter what PAN-OS version do you use? When I configure the HA IPs in panorama template stack, they are not applied to the firewall. All the HA config works, but when I check locally on the firewall the IPs aren't from the template...
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-23-2020 08:48 AM
@vsys_remo : We are using this template stack since version 8.0 (works well with 8.1 and 9.0).
One initial step is to clean up the local stored config:
delete rulebase
delete zone trust
delete zone untrust
delete network virtual-wire default-vwire
delete network interface
delete network tunnel
delete network ike
delete network virtual-router default
delete deviceconfig system update-schedule
delete deviceconfig high-availability
delete deviceconfig system timezone
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-23-2020 01:18 PM
Did exactly that (besides the HA config I have nothing locally), but there is no value for HA IP address locally on the firewall ...
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-30-2020 12:10 PM
What do you mean with "no value for HA IP address locally"?
It will not be listed on the CLI using "show ..."
Does it show up in the GUI of the firewall?
Related Content
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks