05-19-2022 04:10 AM
We are currently deploying two Panorama M-series appliances with active/passive configuration. The expected interface configuration will be like this:
Active/Primary Panorama:
Management: 172.20.1.11 (only for Panorama management access)
ethernet1/1: 10.20.5.100 (for device management, log collection, etc.) > devices will be connected to this interface
Passive/Secondary Panorama:
Management: 172.20.1.12
ethernet1/1: 10.20.5.100 (if possible to use same IP as primary) OR 10.20.5.101 (if different IP is required)
The issue is the ethernet1/1 options on the passive Panorama are greyed out and we cannot configure anything on it.
My question is, is it possible to configure ethernet interface on an M-series Panorama in passive HA configuration? If possible, then how is the behavior of the ethernet interface:
1. The secondary Panorama ethernet1/1 interface will be disabled due to passive mode, and automatically enabled when the appliance becomes active mode (just like HA on firewalls)
2. The secondary Panorama ethernet1/1 interface is enabled all the time regardless of active/passive mode (in this case we will use different eth1/1 IP on primary and secondary to prevent IP conflict)
3. Primary and secondary Panorama ethernet interfaces configuration are synced between each other.
Thank you.
Model: Panorama M-600 (x2)
SW version: 10.1.4-h4
05-24-2022 02:44 PM
Thank you for the post @KNau
I do not have this exact same setup in my environment, however by looking into documentation, you should make these changes from active Panorama. Please refer to this document, STEP 3 >> (HA only) Configure the interfaces on the passive Panorama management server.:
I think selecting the checkbox: Device Management and Device Log Collection is what you need to meet your requirement.
The reason why you can't make this change on Panorama passive node is feature limitation. Only Device Deployment is supported. Options to enable Device Management and Device Log Collection and Collector Group Communication are therefore gray out.
Regarding the IP address you configure on interface 1/1, you should use different IP address than what you configured for interface 1/1 on Panorama active node. From 3 options you mentioned, the option 2 is from my point of view correct answer.
After you make these changes, do not forget to commit it to Panorama and push the changes to log collector group.
Kind Regards
Pavel
05-24-2022 02:44 PM
Thank you for the post @KNau
I do not have this exact same setup in my environment, however by looking into documentation, you should make these changes from active Panorama. Please refer to this document, STEP 3 >> (HA only) Configure the interfaces on the passive Panorama management server.:
I think selecting the checkbox: Device Management and Device Log Collection is what you need to meet your requirement.
The reason why you can't make this change on Panorama passive node is feature limitation. Only Device Deployment is supported. Options to enable Device Management and Device Log Collection and Collector Group Communication are therefore gray out.
Regarding the IP address you configure on interface 1/1, you should use different IP address than what you configured for interface 1/1 on Panorama active node. From 3 options you mentioned, the option 2 is from my point of view correct answer.
After you make these changes, do not forget to commit it to Panorama and push the changes to log collector group.
Kind Regards
Pavel
06-23-2022 07:08 PM
Thank you for answering and sorry for the late response @PavelK
I have tried the second method on the production Panorama (by applying different IP on secondary Panorama) and it worked successfully, and now I could deploy the firewalls that connects to both active and passive Panorama.
Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
