05-07-2018 09:10 PM
Hi,
We have pair of PA in HA mode, we are going to move one of the sub-interface to a L3 interface. is it possible to do this without any downtime? I am considering below steps
any suggestion or thoughts?
Thanks
05-09-2018 04:15 AM
I think you are making this harder than it needs to be...
I would do the following:
1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls
2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces
3) when the maintenance window begins, apply this candidate configuration
4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch
05-08-2018 10:19 AM
Hello,
I would say do this in a maintenance window where you can have down time and this could cause issues especially if something is missed in the config. I would not recomnmend having a different config for active/passive units.
Just my thoughts.
05-08-2018 12:38 PM
You could do it the way you describe perfectly fine baring that you toggle a few settings on the firewalls to temporarily break configuration sync. Although as @OtakarKlier has already mentioned there are certain risks that go along with this that really best to being done in a maintenance window. You aren't going to know for 100% if you have the configuration done properly until you actually failover traffic, and if it's not dialed in properly you could cause a momentary outage as you move things back to the other HA member.
05-09-2018 04:15 AM
I think you are making this harder than it needs to be...
I would do the following:
1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls
2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces
3) when the maintenance window begins, apply this candidate configuration
4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch
05-09-2018 08:13 AM
I like the way you are approaching this option, but I would change the methodology slightly:
1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls (with the switchports SHUT)
2) setup the new FW ports as just standard members of the VLAN (untagged or access-port depending on your terminology) and push policy
3) when the maintenance window begins, SHUT the VLAN Trunk Interface on the switch, NO SHUT the standard access ports
4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch
5) once you verify everything is functioning, remove the VLAN tagging from the FW ports and push policy
The roll back is a quick - SHUT of the new ports and NO SHUT of the old ports.
Very similar process to Joe, but slightly different focus.
05-09-2018 08:51 AM
OP specified they were moving to an L3 interface - not sure you can have two interfaces with same IP even if one is "down."
That aside, I feel this is a "tomatoe-tomahto" sort of difference, and agree that either solution is possible and easier than breaking HA and bringing firewalls off/on-line.
05-09-2018 11:44 AM
@JoeAndreini wrote:I think you are making this harder than it needs to be...
I would do the following:
1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls
2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces
3) when the maintenance window begins, apply this candidate configuration
4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch
I would also use exactly these steps for this migration. Specially because I can confirm that was working perfectly fine when I did the opposite (migrate from L3 interfaces to subinterfaces).
PaloAlto Firewalls are Zone based firewalls, so the session sync will work during this migration. This is because on a Palo Alto Networks firewall, a session is defined by two uni-directional flows each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone. --> nothing about source-interfaces 😉
05-09-2018 05:34 PM
Thanks a lot for the inputs. Their requirement is that they don't want any interuption during this migration because they have a monitoring system on this sub-interface, and any traffic interruption will create a noise/alarm.
I agree with @JoeAndreini, this migration should be simple. I will try to push with this method with them on a maintenance window.
Again, thanks a lot for the input.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
