pa200 ha

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

pa200 ha

Im in the process of setting up a pair of pa200 for ha, ive read through the documentation but im not clear on a few things.

The PA200, if i do an update on the FW for either software of dynamic updates it uses the management port to do the work.

If I configure HA I will need to use the management port and one of the ethernet ports, the other three are allocated with eth1 being used for the WAN link.

If i do a software update, do I need to make a configuration change to get the FW to initiate the update from eth1 rather than the in use management port.


Accepted Solutions
Highlighted
L6 Presenter

no you can still use the mgmt port for software upgrades while using it as a part of ha !!

View solution in original post


All Replies
Highlighted
L6 Presenter

no you can still use the mgmt port for software upgrades while using it as a part of ha !!

View solution in original post

Highlighted
L3 Networker

Hi guys , its possible to do a HA with PA-200 right ?

This HA just to syncronization configuration , policies and networks ?


Best regards.

Highlighted
L4 Transporter

Yes I believe it is called "HA Lite":

HA Lite offers the following capabilities:

  • Fail-over of IPSec Tunnels
  • DHCP Lease information
  • PPPoE lease information
  • Configuration sync
  • Layer 3 forwarding tables

The big difference is that HA lite doesn't provide session syncronization.

Highlighted
L3 Networker

I configured ha-lite on two pa-200 but when doing so i lost functioning of my eth4 interface which is connected to the internet. All other interfaced worked normaly..even a sub interface on eth4 worked.

Is this because i have Feature GlobalProtectGateway enabled on this interface?

Highlighted
L5 Sessionator

If by losing the interface, you mean accessing HTTPS service on eth1/4. You need to access this interfaces on port 4443

How to Access the WebUI when GlobalProtect Is Enabled

Highlighted
L6 Presenter

When HA is enabled for the 1st time, the MAC address on the Eth interface changes to a virtual MAC that can be used by both PA's.  Maybe this happens and your ISP router need to refresh its ARP table?

Highlighted
L4 Transporter

rmonvon: I thought the PA will send out a gratuitous ARP when any HA events take place, in order to "push" the change to any devices that might have an old MAC address cached in their ARP tables

Highlighted
L3 Networker

Well then i would loos the DHCP Information or would they stay? I can do a DHCP Renew and get the IP.

It's really strange, everything looks normal...routing everything...but ping 8.8.8.8 goes now to nirvana....maybe it's realy the isp router...problem is that i can't reboot that from remote..

Highlighted
L3 Networker

Correct!

sh mac adderss-table inter gi1/0/4

it list a new mac address.....shit....Thanks for help

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!