08-28-2018 08:15 AM
Hello everybody,
is there any article or best practice document which discribes the configuration of a Palo Alto 3020 Firewall HA-Cluster active/passive while there is already a working stand alone PA 3020 Firewall.
Is it the same way I configure a HA-Cluster out of the box?
Which parts of the config get synced to the peer and which had to be preconfigured on the secondary node?
Something I should pay attention to?
Thanks for your support!
Kind regards
08-29-2018 07:05 AM
when you commit the HA config the MAC addresses will change, your routers and switches will benefit most from clearing the cache/reviewing static entries
Hosts will typically ask for MAC information and won't be impacted as much
The secondary firewall needs to be configured with a management interface and matching HA config,
It will also need to be set to the identical software version and ideally (optional but strongly recommended) same content/threat/AV/URL filtering versions
After the HA is established, the primary member can copy over mostly all config (sync to peer)
Here you can find what is and isn't synced: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/reference-ha-synch...
(so in short, you will still need to configure 'system specific' settings like dns, ntp, licensing, content update schedules, HA parameters)
There is a best practices space that addresses all sorts of deployments: https://www.paloaltonetworks.com/documentation/best-practices
And there is a best practice on how to upgrade a firewall/cluster https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045
08-28-2018 09:40 AM
Hello,
The process is the same. The way I have done it in the past was to setup the 'active' one first, in your case it would be the one that is already deployed. I would then also set its 'priority' so something like 10 so it'll negotiate as the 'active'. Then I would setup the 'passive' device per the documentation.
Hope that helps!
08-29-2018 04:44 AM
even it is very easy to change your deployment from standalone to HA, there is one giant caveat: the firewall's MAC addresses will change into shared MACs, so you will need to flush your arp/mac tables on all connected devices
other than that, walk in the park 😉
08-29-2018 06:39 AM
Thanks for your answer!
At which step do you flush the arp tables? After setup of the HA-Cluster?
What means any connceted device? Any virtual machine e.g?
And which parameters had to be preconfigured on the secondary firewall (mgmt. ip, dns, ha-config, interfaces, virt. router,...) and which parameters will be synced to the peer by setting up the active/passive HA-Cluster.
Is there any best practice paper or knowledge base article?
Thanks for your support!
08-29-2018 07:05 AM
when you commit the HA config the MAC addresses will change, your routers and switches will benefit most from clearing the cache/reviewing static entries
Hosts will typically ask for MAC information and won't be impacted as much
The secondary firewall needs to be configured with a management interface and matching HA config,
It will also need to be set to the identical software version and ideally (optional but strongly recommended) same content/threat/AV/URL filtering versions
After the HA is established, the primary member can copy over mostly all config (sync to peer)
Here you can find what is and isn't synced: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/reference-ha-synch...
(so in short, you will still need to configure 'system specific' settings like dns, ntp, licensing, content update schedules, HA parameters)
There is a best practices space that addresses all sorts of deployments: https://www.paloaltonetworks.com/documentation/best-practices
And there is a best practice on how to upgrade a firewall/cluster https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045
08-29-2018 07:13 AM
Hi reaper,
thanks for your feedback, that helps me a lot.
Have a nice day!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
