This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IP for Cluster HA Active Pasive

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IP for Cluster HA Active Pasive

Alpalo
L4 Transporter

‎09-15-2021 03:19 AM

Hello,

We have a 3200 series HA cluster active/passive version 9.1.10.

The requirement is to access through a single ip always to the active node.

That is, I have an IP for the active node and another for the passive node but I want to configure a single IP to access the active node either one or the other.

Can anyone help me to configure it? How do I have to do it?

0 Likes Likes
2 REPLIES 2

PavelK
Cyber Elite
Cyber Elite

‎09-15-2021 06:21 AM

Thank you @Alpalo for posting question.

 

To my knowledge this is not possible. Management interface is configured individually on each firewall and is not part of HA. Here is the list of items that are not HA synchronized, management interface is on the top of the list: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/reference-ha-synchroniza...

 

I know that some Firewalls for example Cisco ASA has management interface to be part of HA, then when there is a failover the management interface is also changed, however PA does not have this implementation. Can I ask for the reason why this is required?

 

Thank you & Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

batd2
L4 Transporter

‎09-15-2021 06:22 AM

@Alpalo I presume you are referring to the firewall's managed IP address. If this is the case, the management IP need to be unique on each node. 

You have two possible solutions for you task: 

1. Enable firewall management on one of the data interfaces, e.g. ethernet 1/1. You can achieve this by applying interface management profile to it and enable ssh and https. It may also need security policies configuration . This will ensure management connections only to the active HA member. 

2. The other more complex option will be to use some 3rd party load balancer appliance, which can detect the primary member through API calls and sent management traffic to it. 

  • 2135 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks