Problems adding an IPv4 Address to a Firewall!

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Problems adding an IPv4 Address to a Firewall!

L3 Networker

Hi,

I've been looking after some Palo Alto Firewalls for about a year and half now; and I'm still not sure quite how to add an IP address correctly!  Something is definitely wrong here! 😉

The setup in question consists of a pair of PA5020 firewalls configured in Active/Active HA.

The firewall pair is managed by a Panorama system.

There is both a Template and a Device Group defined within Panorama for this pair of firewalls.

For the moment, I’m mainly looking at our Internet facing interface that terminates Global Protect sessions.  There are a pair of HA virtual addresses defined within Panorama - with one address preferred by the Primary and one address preferred by the Secondary - to which a pair of Global Protect Gateways are assigned.  (We did originally have the GP Gateways assigned to the physical addresses but we’re changing this to the HA addresses now due to the lack of failover support if we’re using the physical interface addresses.)

The HA virtual addresses are fine; my issue is with the IPv4 addresses that need to go on the physical interface.

I can’t leave the physical interface without an IP address; as if I do that no connected route is inserted into the routing table of the firewall for the local subnet and therefore there is no communication.

I can’t place the IP addresses within the Panorama template - as the same IP address(es) is(are) pushed to the physical interfaces of each of the two firewalls. They don’t seem to like that.  For example you can’t ping between the firewalls when they’re configured like this and I’ve seen strange issues when the same IP on the two firewalls has occurred accidentally. (e.g. the “bind: Cannot assign requested address” error when trying to ping from one of these duplicate addresses.)

I was (stupidly) hoping with PANOS6 and the the new “assign interface IP addresses with an Address object” would help.  It did for a short while as I used the address object name in Panorama and created an address object with the same name - but with a different IP - locally on each of the firewalls.  Voila.  Until I turned on config-synchronisation between the two systems - which unsurprisingly set both local address objects to the same IP address and reflected this update to the interface configuration - and then I’m back to an IP address collision between the two HA units.  Having the config synchronisation disabled is dangerous - with the big red warning icon on the Dashboard and the “sync to peer” link next to it - which if clicked destroys the services the firewall provides as all the interfaces start to share physical IPs between the two HA units.

Lastly, there is the way I’ve been doing it for a while; you override the interface within the local firewall and place the local IP address on there.  However now, any update within Panorama for the physical unit (for example adding new sub-interface) is ignored by the firewall.  Perhaps using the "Force Template Values" solves this to a degree - but feels like that will bite me one day.  (Also just trying that now on PANOS 6.0.4 boxes I’m finding that (with config sync enabled) the IP addresses are being synced between the two devices - which wasn’t the case with PANOS5.)

Perhaps I’m missing something; but there doesn’t seem to be an optimal way to do something as basic as assigning an IP address when using Panorama to manage Active/Active firewall pairs.

If only Panorama - within templates that have A/A HA enabled - showed within the interface IPv4 configuration tab two IP address boxes - one for Primary and one for Secondary - allowing one to centrally place the desired IP addresses in a straightforward manner all these strange side effects would go away….

What are others - using Panroama and A/A HA - doing to configure your interface’s IP addresses?  Are you happy with your setup?

Any experiences or guidance welcome!

Cheers,

aid

1 REPLY 1

L4 Transporter

Hello,

I absolutely understand the concerns you have put forth in this discussion. Managing a pair of firewalls in active/active configuration through a panorama is very tricky...:)

Coming back to the point you have made with assigning ip addresses to physical ports, there are couple of things to consider :

- If the interface ip addresses are pushed from the panorama using network templates, it is good to have two different templates. One for active-primary and another for active Secondary.

- Another way to implement it would be to configured the interfaces with ip-addresses locally on the firewall rather then pushing it from the panorama as a template.

Hope this helps

Thanks

  • 5312 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!