Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HA on a PA-450 using Strata Cloud Manager

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA on a PA-450 using Strata Cloud Manager

L1 Bithead

I’m attempting to configure active/passive HA on a PA-450 using Strata Cloud Manager as per this guide: https://docs.paloaltonetworks.com/ngfw/administration/high-availability/set-up-activepassive-ha/conf...

I’m aware a PA-450 doesn’t have dedicated HA ports, however when using Panorama I can set Eth1/7 & Eth1/8 to HA mode as shown in the image below and it works fine:

JamesWoodhouse1_0-1724423694145.png

 

When using Strata Cloud Manager, HA mode is not an option on interface configuration.

JamesWoodhouse1_1-1724423694146.png

 

Using the Strata HA workflow, I’m able to set HA-1 to use the management interface, but then unable to list data interfaces as candidate for HA-2,

JamesWoodhouse1_2-1724423694148.png

 

I’ve ensured that data interfaces are configured and set to L3 mode on each firewall in the pair.

Does anyone have any experience with this please?

 

1 accepted solution

Accepted Solutions

L0 Member

The 'Interface Type' needs to be Default to be used for HA configuration in SCM. This needs to be configured in SCM at the Configuration Scope of each HA firewall.

That is what worked for me.

View solution in original post

4 REPLIES 4

L0 Member

The 'Interface Type' needs to be Default to be used for HA configuration in SCM. This needs to be configured in SCM at the Configuration Scope of each HA firewall.

That is what worked for me.

L1 Bithead

Thanks Mike, I'll try that next week.
Just to confirm is the Interface type 'default' only for the interfaces intended for HA-1 & HA-2, or ALL other data interfaces as well?

 

Just the interfaces you want to use for HA.

L1 Bithead

Hi @MikeFreyman-WWT 
Thanks for the help, I finally got this working today after a bit of a journey!
(I'm attempting to use folders/snippets and variables from Day1)

 

Journey:

  • Create 'base' snippet (interfaces, zones, router, but excluding HA) and apply to top level 'branch' configuration scope
    • Override variables on the firewall configuration scope

 

  • Create 'HA' snippet for HA interfaces with the aim of applying on the firewall configuration scope
    • unable to set interface type to 'default' in snippet
      • delete Snippet

 

  • Set interfaces to 'default' at the firewall configuration scope

 

  • Create variables in 'All firewalls' configuration scope (with the aim of using on the firewall configuration scope) for:
    • $eth1-7-ip-ha
    • $eth1-7-ip-subnet-mask-ha
    • $eth1-8-ip-ha
    • $eth1-8-ip-subnet-mask-ha

 

  • Override variable values at the firewall configuration scope

 

  • Create HA Group, PUSH
    • Receive Error, assuming due using one variable value (IP address) and applying to both HA peers

 

  • Delete HA group

 

  • Verify:  'base' snippet (interfaces, zones, router) and apply to top level 'branch' configuration scope = yes )
  • Verify: variable values for data interfaces applied at 'site' configuration scope = yes )
  • Verify: HA interfaces [Eth1/7 & Eth1/8]  applied a 'firewall' configuration scope = yes)

 

  • Create variables in 'All firewalls' configuration scope
    • $eth1-7-ip-ha-branch1
    • $eth1-8-ip-ha-branch1
    • $eth1-7-ip-ha-branch2
    • $eth1-8-ip-ha-branch2
    • $eth1-7_8-ip-subnet-mask-ha-branch-all

 

  • Create HA, received error upon (again assuming) using one variable [$eth1-7_8-ip-subnet-mask-ha-branch-all] in multiple [x4] places [HA control & data interfaces]

    JamesWoodhouse1_0-1724770662336.png

     

 

  • Delete HA group

 

  • Delete variables in 'All firewalls' configuration scope
    • $eth1-7_8-ip-subnet-mask-ha-branch-all

 

  • Create variables in 'All firewalls' configuration scope
    • $eth1-7-ip-subnet-mask-ha-branch1
    • $eth1-8-ip-subnet-mask-ha-branch1
    • $eth1-7-ip-subnet-mask-ha-branch2
    • $eth1-8-ip-subnet-mask-ha-branch2

 

 

  • Create HA, error received again

 

  • Convert Subnet masks to manual [255.255.255.252] e.g. not using variable), but retain variable for IPv4 address [ e.g. $eth1-7-ip-ha-branch1]

 

  • Push, Success !

 

  • 1 accepted solution
  • 579 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!