This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA on a PA-450 using Strata Cloud Manager

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA on a PA-450 using Strata Cloud Manager

Go to solution
James.Woodhouse1
L1 Bithead

‎08-23-2024 07:36 AM

I’m attempting to configure active/passive HA on a PA-450 using Strata Cloud Manager as per this guide: https://docs.paloaltonetworks.com/ngfw/administration/high-availability/set-up-activepassive-ha/conf...

I’m aware a PA-450 doesn’t have dedicated HA ports, however when using Panorama I can set Eth1/7 & Eth1/8 to HA mode as shown in the image below and it works fine:

JamesWoodhouse1_0-1724423694145.png

 

When using Strata Cloud Manager, HA mode is not an option on interface configuration.

JamesWoodhouse1_1-1724423694146.png

 

Using the Strata HA workflow, I’m able to set HA-1 to use the management interface, but then unable to list data interfaces as candidate for HA-2,

JamesWoodhouse1_2-1724423694148.png

 

I’ve ensured that data interfaces are configured and set to L3 mode on each firewall in the pair.

Does anyone have any experience with this please?

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
MikeFreyman-WWT
L0 Member

‎08-23-2024 09:13 AM

The 'Interface Type' needs to be Default to be used for HA configuration in SCM. This needs to be configured in SCM at the Configuration Scope of each HA firewall.

That is what worked for me.

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
MikeFreyman-WWT
L0 Member

‎08-23-2024 09:13 AM

The 'Interface Type' needs to be Default to be used for HA configuration in SCM. This needs to be configured in SCM at the Configuration Scope of each HA firewall.

That is what worked for me.

0 Likes Likes

Go to solution
James.Woodhouse1
L1 Bithead

‎08-23-2024 10:22 AM

Thanks Mike, I'll try that next week.
Just to confirm is the Interface type 'default' only for the interfaces intended for HA-1 & HA-2, or ALL other data interfaces as well?

 

0 Likes Likes

Go to solution
MikeFreyman-WWT
L0 Member
In response to James.Woodhouse1

‎08-23-2024 10:46 AM

Just the interfaces you want to use for HA.

0 Likes Likes

Go to solution
James.Woodhouse1
L1 Bithead

‎08-27-2024 07:58 AM - edited ‎08-27-2024 08:00 AM

Hi @MikeFreyman-WWT 
Thanks for the help, I finally got this working today after a bit of a journey!
(I'm attempting to use folders/snippets and variables from Day1)

 

Journey:

  • Create 'base' snippet (interfaces, zones, router, but excluding HA) and apply to top level 'branch' configuration scope
    • Override variables on the firewall configuration scope

 

  • Create 'HA' snippet for HA interfaces with the aim of applying on the firewall configuration scope
    • unable to set interface type to 'default' in snippet
      • delete Snippet

 

  • Set interfaces to 'default' at the firewall configuration scope

 

  • Create variables in 'All firewalls' configuration scope (with the aim of using on the firewall configuration scope) for:
    • $eth1-7-ip-ha
    • $eth1-7-ip-subnet-mask-ha
    • $eth1-8-ip-ha
    • $eth1-8-ip-subnet-mask-ha

 

  • Override variable values at the firewall configuration scope

 

  • Create HA Group, PUSH
    • Receive Error, assuming due using one variable value (IP address) and applying to both HA peers

 

  • Delete HA group

 

  • Verify:  'base' snippet (interfaces, zones, router) and apply to top level 'branch' configuration scope = yes )
  • Verify: variable values for data interfaces applied at 'site' configuration scope = yes )
  • Verify: HA interfaces [Eth1/7 & Eth1/8]  applied a 'firewall' configuration scope = yes)

 

  • Create variables in 'All firewalls' configuration scope
    • $eth1-7-ip-ha-branch1
    • $eth1-8-ip-ha-branch1
    • $eth1-7-ip-ha-branch2
    • $eth1-8-ip-ha-branch2
    • $eth1-7_8-ip-subnet-mask-ha-branch-all

 

  • Create HA, received error upon (again assuming) using one variable [$eth1-7_8-ip-subnet-mask-ha-branch-all] in multiple [x4] places [HA control & data interfaces]

    JamesWoodhouse1_0-1724770662336.png

     

 

  • Delete HA group

 

  • Delete variables in 'All firewalls' configuration scope
    • $eth1-7_8-ip-subnet-mask-ha-branch-all

 

  • Create variables in 'All firewalls' configuration scope
    • $eth1-7-ip-subnet-mask-ha-branch1
    • $eth1-8-ip-subnet-mask-ha-branch1
    • $eth1-7-ip-subnet-mask-ha-branch2
    • $eth1-8-ip-subnet-mask-ha-branch2

 

 

  • Create HA, error received again

 

  • Convert Subnet masks to manual [255.255.255.252] e.g. not using variable), but retain variable for IPv4 address [ e.g. $eth1-7-ip-ha-branch1]

 

  • Push, Success !

 

0 Likes Likes

Go to solution
S.Cantwell
Cyber Elite
Cyber Elite
In response to James.Woodhouse1

‎11-07-2024 05:14 AM

I am writing a reply to this, because I REALLY tried to follow along with the steps, but could not understand.

I needed to open a TAC case to get this simple configuration done.  (Argh, if only tech documentation could be written much clearer. :P)

 

So, in basic terms, create your folder structure as you would for NGFW FWs.

For me, I ignore putting anything in the highest (parent) folder of All Firewalls.

 

I created a folder (LIB Firewalls) in SCM, and put 2 FWs in that folder (FW-A and FW-B)

SCantwell_0-1730984764522.png

I created my variable and interfaces in the parent LIB Firewalls folder. (not shown here)

 

But real clarification is to go to the actual FW-DEVICE (FW-A and FW-B).

SCantwell_1-1730984808101.png

 

This is my "before" picture  (I want to have eth1/3 and eth1/4 used for HA) 

Notice that eth 3 and eth 4 show as Not Configured.

SCantwell_2-1730984845856.png

 

I clicked on ethernet1/3

SCantwell_3-1730984916648.png

 

When you add your interfaces (which will be only for HA in my example ), you are presented with the ADD Ethernet window,

 

SCantwell_4-1730984953665.png

(Viola!) this is where you see the mysterious Interface Type with a radio button of Default. 

You do not need to do anything anything, just hit OK, and the interface is now created (in the device folder itself). 

 

Do this for your 2nd interface...and......

 

(This is my "after".  Notice that now eth 3 and eth 4 currently show Auto (for Link Status)

SCantwell_5-1730985007818.png

 

Now you can come back to Configuration Scope for the parent folder (LIB Firewalls) and finish your configuration for HA with variables or IPs or whatever you need.

Thanks to Rae A (at TAC), who was wonderful and helped me in about 3 minutes.  😛

 

 

 

Help the community: Like helpful comments and mark solutions
0 Likes Likes
  • 1 accepted solution
  • 731 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks