Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Migrating from sub-interface to L3 interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrating from sub-interface to L3 interface

L0 Member

Hi,

 

We have pair of PA in HA mode, we are going to move one of the sub-interface to a L3 interface. is it possible to do this without any downtime? I am considering below steps

 

  • take out sub-interface from monitored interface (to prevent failover)
  • configured L3 interface on standby firewall (is this possible to have a different config between active/passive firewall?)
  • failover to standby firewall (not sure if session table will be sync correctly since now it is configured on an l3 interface instead on sub-interface)
  • sync configuration from now active firewall ( previously standby) to passive firewall.

any suggestion or thoughts?

 

Thanks

1 accepted solution

Accepted Solutions

L4 Transporter

I think you are making this harder than it needs to be...

 

I would do the following:

1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls

2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces

3) when the maintenance window begins, apply this candidate configuration

4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

 

 

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

I would say do this in a maintenance window where you can have down time and this could cause issues especially if something is missed in the config. I would not recomnmend having a different config for active/passive units. 

 

Just my thoughts.

Cyber Elite
Cyber Elite

@filterfilter,

You could do it the way you describe perfectly fine baring that you toggle a few settings on the firewalls to temporarily break configuration sync. Although as @OtakarKlier has already mentioned there are certain risks that go along with this that really best to being done in a maintenance window. You aren't going to know for 100% if you have the configuration done properly until you actually failover traffic, and if it's not dialed in properly you could cause a momentary outage as you move things back to the other HA member. 

L4 Transporter

I think you are making this harder than it needs to be...

 

I would do the following:

1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls

2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces

3) when the maintenance window begins, apply this candidate configuration

4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

 

 

I like the way you are approaching this option, but I would change the methodology slightly:

 

1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls (with the switchports SHUT)

2) setup the new FW ports as just standard members of the VLAN (untagged or access-port depending on your terminology) and push policy

3) when the maintenance window begins, SHUT the VLAN Trunk Interface on the switch,  NO SHUT the standard access ports

4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

5) once you verify everything is functioning, remove the VLAN tagging from the FW ports and push policy

 

The roll back is a quick - SHUT of the new ports and NO SHUT of the old ports.

 

Very similar process to Joe, but slightly different focus.

OP specified they were moving to an L3 interface - not sure you can have two interfaces with same IP even if one is "down."

 

That aside, I feel this is a "tomatoe-tomahto" sort of difference, and agree that either solution is possible and easier than breaking HA and bringing firewalls off/on-line.


@JoeAndreini wrote:

I think you are making this harder than it needs to be...

 

I would do the following:

1) configure the new ports on the switch in your VLAN and wire it to the new ports on the firewalls

2) just before your maintenance window, configure the new firewall ports and remove the subinterfaces

3) when the maintenance window begins, apply this candidate configuration

4) once you verify everything is functioning, remove the VLAN from the trunk ports on the switch

 

 


I would also use exactly these steps for this migration. Specially because I can confirm that was working perfectly fine when I did the opposite (migrate from L3 interfaces to subinterfaces). 

PaloAlto Firewalls are Zone based firewalls, so the session sync will work during this migration. This is because on a Palo Alto Networks firewall, a session is defined by two uni-directional flows each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone. --> nothing about source-interfaces 😉

Thanks a lot for the inputs. Their requirement is that they don't want any interuption during this migration because they have a monitoring system on this sub-interface, and any traffic interruption will create a noise/alarm.

 

I agree with @JoeAndreini, this migration should be simple. I will try to push with this method with them on a maintenance window.

 

Again, thanks a lot for the input.

 

 

  • 1 accepted solution
  • 5711 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!