This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HA on a PA-450 using Strata Cloud Manager

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA on a PA-450 using Strata Cloud Manager

Go to solution
James.Woodhouse1
L1 Bithead

‎08-23-2024 07:36 AM

I’m attempting to configure active/passive HA on a PA-450 using Strata Cloud Manager as per this guide: https://docs.paloaltonetworks.com/ngfw/administration/high-availability/set-up-activepassive-ha/conf...

I’m aware a PA-450 doesn’t have dedicated HA ports, however when using Panorama I can set Eth1/7 & Eth1/8 to HA mode as shown in the image below and it works fine:

JamesWoodhouse1_0-1724423694145.png

 

When using Strata Cloud Manager, HA mode is not an option on interface configuration.

JamesWoodhouse1_1-1724423694146.png

 

Using the Strata HA workflow, I’m able to set HA-1 to use the management interface, but then unable to list data interfaces as candidate for HA-2,

JamesWoodhouse1_2-1724423694148.png

 

I’ve ensured that data interfaces are configured and set to L3 mode on each firewall in the pair.

Does anyone have any experience with this please?

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
MikeFreyman-WWT
L0 Member

‎08-23-2024 09:13 AM

The 'Interface Type' needs to be Default to be used for HA configuration in SCM. This needs to be configured in SCM at the Configuration Scope of each HA firewall.

That is what worked for me.

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
MikeFreyman-WWT
L0 Member

‎08-23-2024 09:13 AM

The 'Interface Type' needs to be Default to be used for HA configuration in SCM. This needs to be configured in SCM at the Configuration Scope of each HA firewall.

That is what worked for me.

0 Likes Likes

Go to solution
James.Woodhouse1
L1 Bithead

‎08-23-2024 10:22 AM

Thanks Mike, I'll try that next week.
Just to confirm is the Interface type 'default' only for the interfaces intended for HA-1 & HA-2, or ALL other data interfaces as well?

 

0 Likes Likes

Go to solution
MikeFreyman-WWT
L0 Member
In response to James.Woodhouse1

‎08-23-2024 10:46 AM

Just the interfaces you want to use for HA.

0 Likes Likes

Go to solution
James.Woodhouse1
L1 Bithead

‎08-27-2024 07:58 AM - edited ‎08-27-2024 08:00 AM

Hi @MikeFreyman-WWT 
Thanks for the help, I finally got this working today after a bit of a journey!
(I'm attempting to use folders/snippets and variables from Day1)

 

Journey:

  • Create 'base' snippet (interfaces, zones, router, but excluding HA) and apply to top level 'branch' configuration scope
    • Override variables on the firewall configuration scope

 

  • Create 'HA' snippet for HA interfaces with the aim of applying on the firewall configuration scope
    • unable to set interface type to 'default' in snippet
      • delete Snippet

 

  • Set interfaces to 'default' at the firewall configuration scope

 

  • Create variables in 'All firewalls' configuration scope (with the aim of using on the firewall configuration scope) for:
    • $eth1-7-ip-ha
    • $eth1-7-ip-subnet-mask-ha
    • $eth1-8-ip-ha
    • $eth1-8-ip-subnet-mask-ha

 

  • Override variable values at the firewall configuration scope

 

  • Create HA Group, PUSH
    • Receive Error, assuming due using one variable value (IP address) and applying to both HA peers

 

  • Delete HA group

 

  • Verify:  'base' snippet (interfaces, zones, router) and apply to top level 'branch' configuration scope = yes )
  • Verify: variable values for data interfaces applied at 'site' configuration scope = yes )
  • Verify: HA interfaces [Eth1/7 & Eth1/8]  applied a 'firewall' configuration scope = yes)

 

  • Create variables in 'All firewalls' configuration scope
    • $eth1-7-ip-ha-branch1
    • $eth1-8-ip-ha-branch1
    • $eth1-7-ip-ha-branch2
    • $eth1-8-ip-ha-branch2
    • $eth1-7_8-ip-subnet-mask-ha-branch-all

 

  • Create HA, received error upon (again assuming) using one variable [$eth1-7_8-ip-subnet-mask-ha-branch-all] in multiple [x4] places [HA control & data interfaces]

    JamesWoodhouse1_0-1724770662336.png

     

 

  • Delete HA group

 

  • Delete variables in 'All firewalls' configuration scope
    • $eth1-7_8-ip-subnet-mask-ha-branch-all

 

  • Create variables in 'All firewalls' configuration scope
    • $eth1-7-ip-subnet-mask-ha-branch1
    • $eth1-8-ip-subnet-mask-ha-branch1
    • $eth1-7-ip-subnet-mask-ha-branch2
    • $eth1-8-ip-subnet-mask-ha-branch2

 

 

  • Create HA, error received again

 

  • Convert Subnet masks to manual [255.255.255.252] e.g. not using variable), but retain variable for IPv4 address [ e.g. $eth1-7-ip-ha-branch1]

 

  • Push, Success !

 

0 Likes Likes
  • 1 accepted solution
  • 579 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks