Add to Panorama a new firewall to form an HA with a current standalone already managed by Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Add to Panorama a new firewall to form an HA with a current standalone already managed by Panorama

L1 Bithead

One of our customers has a standalone PA-820 that is currently managed by Panorama.


They now want to add another PA-820 and form an HA Active/Passive peer with the one mentioned above.

 

Checking PA documentation, I can only see references about how to integrate both HA peers or a standalone firewall but do not mention anything specific about how to add an HA peer to Panorama when the other peer is already managed by Panorama as a standalone.

 

In particular, I have been checking the documents below:

But no one of these documents mentions anything about what the customer wants. 

 

The existing firewall should keep its configuration in panorama, just adding the HA functionality and becoming the primary node in the cluster. The new firewall should just be added to the existing firewall as a secondary node in the cluster.

 

Thanks in advance to the community.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @Jorge_Lopez

 

thanks for posting.

 

I have not done this exact scenario before. All HA Firewalls I managed were right from the initial setup managed by Panorama. If I were about to do the same what your customer is planning to do, I would follow below steps.

 

1.)

Install additional PA-820 and perform initial configuration (management interface) and download/install the same PAN-OS + Application/Threat version what other PA-820 is using.

 

2.)

In Panorama, register additional PA-820 in the same Device Group / Template Stack as existing Firewall, then push the configuration to new PA-820. If there is no issue, then I would proceed with HA configuration. If HA function is going to be managed through Panorama, then follow this KB: How to use one Template stack for a high availability Firewall Pair on Panorama to set up Template for HA feature. Make sure that device priority is set correctly to make existing Firewall is primary active: Understanding Preemption with the Configured Device Priority in HA Active/Passive Mode. If there is no error with pushing HA related configuration, then I would proceed with next step.  

 

3.)

I would connect HA ports, then make sure that both Firewalls assume respective active role for existing Firewall and passive for new Firewall. If there is no issue with HA synchronization / incompatibility, then I would connect all data plane cables to new Firewall, then perform a failover to make sure there is no issue with traffic flow and interfaces, then fail back.

 

To avoid risk, I would perform steps No. 2 and 3 during the same maintenance window and tested it with failover before closing maintenance window.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello @Jorge_Lopez

 

thanks for posting.

 

I have not done this exact scenario before. All HA Firewalls I managed were right from the initial setup managed by Panorama. If I were about to do the same what your customer is planning to do, I would follow below steps.

 

1.)

Install additional PA-820 and perform initial configuration (management interface) and download/install the same PAN-OS + Application/Threat version what other PA-820 is using.

 

2.)

In Panorama, register additional PA-820 in the same Device Group / Template Stack as existing Firewall, then push the configuration to new PA-820. If there is no issue, then I would proceed with HA configuration. If HA function is going to be managed through Panorama, then follow this KB: How to use one Template stack for a high availability Firewall Pair on Panorama to set up Template for HA feature. Make sure that device priority is set correctly to make existing Firewall is primary active: Understanding Preemption with the Configured Device Priority in HA Active/Passive Mode. If there is no error with pushing HA related configuration, then I would proceed with next step.  

 

3.)

I would connect HA ports, then make sure that both Firewalls assume respective active role for existing Firewall and passive for new Firewall. If there is no issue with HA synchronization / incompatibility, then I would connect all data plane cables to new Firewall, then perform a failover to make sure there is no issue with traffic flow and interfaces, then fail back.

 

To avoid risk, I would perform steps No. 2 and 3 during the same maintenance window and tested it with failover before closing maintenance window.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi @PavelK ,

 

Sorry for the late response.

 

Thank you so much for your reply, it was really useful and can be accepted as a solution.

 

With the help of your instructions, we were able to integrate the device into the HA and panorama.

 

Kind Regards,

Jorge Lopez

 

 

For the new firewall how would you configure the public IP?

The challenge I am running into is the current firewall is in production and I am remote.  Everything is cabled up but the new firewall is unconfigured.

 

The current firewalls configure from Panorama.

 

I want to keep HA local instead of panorama manged.

 

My thought is to configure HA local, commit it to the firewalls and then add the new firewall to the device group and template stack.  The issue I am running into as soon as I commit the config on the active firewall it becomes passive and the network goes down.  Fortunately I have the panorama setting comitt recovery enabled so it comes back up uncommited.

 

I cant figure out how to prevent it from failing over.

  • 1 accepted solution
  • 3426 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!