12-12-2019 09:58 AM - edited 12-12-2019 10:00 AM
Does anyone happen to know if it is possible to create a floating IP that will direct you to the active Panorama in an HA pair? So the floating IP would be 10.10.10.1 while the actual device IPs would be 10.10.10.2 and 10.10.10.3. This way the administrator will always go to 10.10.10.1, but they will always end up on the Active firewall in an Active/Passive HA pair.
Thanks.
12-12-2019 01:15 PM
@Gareth.Doyle as others have mentioned Panorama HA is different, its really a "warm" standby with config sync in the background which is what most management systems support...
Almost all the customers we have worked with actually will deploy the redundant/secondary Panorama in a different datacenter/location, which will be on a different layer 2/3 network altogether, so a floating IP would not work in this case unless of course you want to go thru the pain of extending yer layer 2/3 network between datacenters/locations that is... 🙂
Absolutely appreciate the frustration due to the situation you are in and would suggest you work with your Account Team to add your name to the feature request (assuming one is already out there) for this as that is a key part of prioritization in product development/enhancement decisions.
12-12-2019 10:08 AM
@Gareth.Doyle You can't do it, but you don't really need. This is why you have the option to configure 2 Panorama IPs in each firewall. The in Panorama you specify which is your primary. appliance. There is no really a need to have afloating IP.
12-12-2019 10:12 AM - edited 12-12-2019 10:14 AM
@BatD, I disagree actually and I will give you a working example.
We have two of our Panoramas in an active/passive HA pair. We are currently having issues with our primary Panorama which PA engineering is researching, but cannot pinpoint an issue. It has been several weeks worth of research at this point. Several of the administrators have links, and several help pages have links, pointing directly to the one IP address which is typically the Active appliance.
Yes, it is their fault and yes, it is their oversight, causing them to put firewall policies into the wrong Panorama device. However, this would not be an issue if a floating IP would direct them to the active unit.
12-12-2019 11:01 AM
@Gareth.Doyle Ok, there is no floating IP, so there is nothing you can do apart from asking the users to now configure the other IP. I guess one workaround would have been to us DNS name and change the IP behind it, but to lat to that now. Be aware that the Panorama HA is not like the firewalls and you can only make changes on the Active Panorama. So they could not have configured any policies on the wrong device. Also any changes made on the Acive will be synced to the Passive.
12-12-2019 11:07 AM
@BatD, I wish that was the case. Unfortunately the way PA had us configure them for their troubleshooting broke the HA completely and allowed users to add/edit/delete policies in the inactive device.
12-12-2019 11:13 AM
@Gareth.Doyle Ok, so if the issue is that the HA was broken, but people were making changes only on the unused device, then you should be able to just export configuration and import it to the secondary panorma. The only difference between the two should be the management IP addresses and HA settings, which you can conifugre manually after the config import.
12-12-2019 11:19 AM
@BatD, yes, the fix is simple. I was just trying to avoid the situation completely in the future. 🙂
Several other technology platforms have introduced a feature like floating IPs for their management appliances in the past couple of years and was hoping PA was up to par with them.
12-12-2019 01:15 PM
@Gareth.Doyle as others have mentioned Panorama HA is different, its really a "warm" standby with config sync in the background which is what most management systems support...
Almost all the customers we have worked with actually will deploy the redundant/secondary Panorama in a different datacenter/location, which will be on a different layer 2/3 network altogether, so a floating IP would not work in this case unless of course you want to go thru the pain of extending yer layer 2/3 network between datacenters/locations that is... 🙂
Absolutely appreciate the frustration due to the situation you are in and would suggest you work with your Account Team to add your name to the feature request (assuming one is already out there) for this as that is a key part of prioritization in product development/enhancement decisions.
12-13-2019 05:05 AM
Thanks, @ddelcourt. I'm fine with it not being a feature, I was just wondering if it currently was. I think it would be a nice addition for customers, especially running multiple HA pair, or for those extending their layer 2/3 networks using tools like VXLAN.
Thanks for all of the responses.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
