Moving from a single PA500 to HA pair of PA820

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Moving from a single PA500 to HA pair of PA820

L1 Bithead

As the subject states we are single PA500 shop now moving to Dual PA820 in HA.

What can I expect when moving to this type of setup coming from a single FW setup.

Is there anything I need to look out for any "Gotchas"? So far I know I am using 5 copper ports on the PA500 and the PA820 only has 4 so I know I will need a module.  Can anyone think of anything else I may encounter, anything related to Policies, Objects, VPN config anything that you guys can think of.

15 REPLIES 15

Cyber Elite
Cyber Elite

@CTaveras,

I assume that you are going to run in an Active/Passive setup. Not much really changes and there are not really any additional steps that you have to do to keep things working correctly. As far as VPN goes GP clients usually transfer over during a failover even fine, where IPSec site-to-site tunnels that I have generally need a few minutes to re-key with the other unit to start passing traffic again. 

@BPry

Thank you very much for the response, how does HA handle user traffic passing out if one of the firewalls dies,

Do I need to flush arp anywhere or do they keep session tables to some degree?

For IP addresses configured on interfaces, you shouldn't need to clear arp due to the firewall performaing gratuitous arp after an HA event. 

Gratuitous arp is not done for NAT addresses so you might need to clear on external routers if you are doing NAT.

 

 

@rmfalconer Hi,

 

If the Palo has DNAT configured on the external interface for let's say an external range of IPs, it will not send a GARP after failover?

@rmfalconer: the PA does proxy arp for IP addresses used in NAT policies

The HA cluster uses a virtual MAC address which is moved over to the active member if there is a failover event, so the GARP will trigger any switches to learn where the MAC is located and any upstream devices will already have a mapping for the NAT addresses to the virtual MAC. if an IP is not known yet, the active member (wether primary or secondary) will simply proxy arp for the IP using the virtual cluster MAC

 

@CTaveras: the HA cluster (via the HA2 interface) shares all information regarding active sessions (tcp sequence, NAT, QoS, content scanning status,...) , so if there is a failover event all sessions are immediately 'active' on the secondary firewall and can continue as if nothing happened

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Ok so floating MAC address shared between the HA members. All ARP requests for any DNAT IP address that Palo owns will be replied by an active member with its floating MAC address? 

 

 

correct

 

- a HA cluster switches to a floating MAC on all interfaces (based on the cluster ID)

- upon HA failover GARP is sent out for all interfaces

- PA performs proxy ARP for any IP used in NAT policies (in case of HA, the floating MAC is shared)

 

 

 

so normally all connected devices will automatically switch everything over to the active HA peer

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Such a clear answer! Thanks as always

First thank you all for the info/Insight great info!!

 

A few more quetions

 

1.  Any benefit going Active/Active over Active Passive, Pros and cons?

2.  We have the public and private keys of a trusted Certificate Authority imported into the firewall such that the firewall can issue certificates as that CA.  I’m assuming exporting and importing the config won’t also migrate over certificate information such that we would have redo those configurations on the new firewall.

1) No benefits, l know it adds only complexity through l never done it before. Only useful as a temp fix while you dealing with the asymmetric routing on the network.

2) Keys and certs will be migrated (keys are encrypted with the master key on palo)

@CTaveras Just be aware that PAN-OS 8.0.x is the minimum OS version for the new platforms 220, 800 series and 5200 series.

 

Other than that, I agree with some of the other comments such as:

1. Be aware of potential proxy arp configuration on upstream routers. it may break the NAT functionality. If you have static or proxy arp on upstream routers make sure to remove it before starting to test especially the NAT rules.

2. Make sure to configure the Active/Passive Settings as Auto instead of Shutdown. The reason for that is because in the shutdown state, upstream and downstream devices connected to the passive device will not see a valid path until the passive firewall becomes active. That may be a little frustrating because the failover may be delayed a few seconds longer, which may be unnaceptable for some businesses.

Screen Shot 2017-06-02 at 9.17.21 AM.png

 

3. Also be aware of the preemption feature. If your firewalls are connected to two different ISPs and both have different bandwidths, typically you want the firewall connected to the higher bandwidth to always be the Active firewall in the HA pair. In this case you may want to enable the preemtion feature and configure a timer on it.

 

For more advises on HA optimization and configuration please refer to the following document: 

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/543/2/HA_Failo...

 

I hope this helps.

We will def have 2 ISP but using both simultaniously.

 

Some one mentioned something about Virtual MAC when in HA...I assume that was for the External interface?

 

What about the Trusted port does that also get a Virtual MAC?

@CTaveras If you want to utilize both links simultaneously one of the options you have available is to enable the ECMP feature. https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-... The ECMP allows you to specify up to 4 route paths with the same cost (metric) while applying Load Balance algorithms such as Round Robin for load distribution.

@acc6d0b3610eec313831f7900fdbd235 I notice that although I set the Passive link state on the Active FW to Auto, the Passive has not sync'd this change.

 

Is this expected behavior or does the passive device also need this setting?  I read the Doc you linked and it doesnt mention anything about the passive device.

  • 6090 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!