Hi, I've been looking after some Palo Alto Firewalls for about a year and half now; and I'm still not sure quite how to add an IP address correctly! Something is definitely wrong here! 😉 The setup in question consists of a pair of PA5020 firewalls configured in Active/Active HA. The firewall pair is managed by a Panorama system. There is both a Template and a Device Group defined within Panorama for this pair of firewalls. For the moment, I’m mainly looking at our Internet facing interface that terminates Global Protect sessions. There are a pair of HA virtual addresses defined within Panorama - with one address preferred by the Primary and one address preferred by the Secondary - to which a pair of Global Protect Gateways are assigned. (We did originally have the GP Gateways assigned to the physical addresses but we’re changing this to the HA addresses now due to the lack of failover support if we’re using the physical interface addresses.) The HA virtual addresses are fine; my issue is with the IPv4 addresses that need to go on the physical interface. I can’t leave the physical interface without an IP address; as if I do that no connected route is inserted into the routing table of the firewall for the local subnet and therefore there is no communication. I can’t place the IP addresses within the Panorama template - as the same IP address(es) is(are) pushed to the physical interfaces of each of the two firewalls. They don’t seem to like that. For example you can’t ping between the firewalls when they’re configured like this and I’ve seen strange issues when the same IP on the two firewalls has occurred accidentally. (e.g. the “bind: Cannot assign requested address” error when trying to ping from one of these duplicate addresses.) I was (stupidly) hoping with PANOS6 and the the new “assign interface IP addresses with an Address object” would help. It did for a short while as I used the address object name in Panorama and created an address object with the same name - but with a different IP - locally on each of the firewalls. Voila. Until I turned on config-synchronisation between the two systems - which unsurprisingly set both local address objects to the same IP address and reflected this update to the interface configuration - and then I’m back to an IP address collision between the two HA units. Having the config synchronisation disabled is dangerous - with the big red warning icon on the Dashboard and the “sync to peer” link next to it - which if clicked destroys the services the firewall provides as all the interfaces start to share physical IPs between the two HA units. Lastly, there is the way I’ve been doing it for a while; you override the interface within the local firewall and place the local IP address on there. However now, any update within Panorama for the physical unit (for example adding new sub-interface) is ignored by the firewall. Perhaps using the "Force Template Values" solves this to a degree - but feels like that will bite me one day. (Also just trying that now on PANOS 6.0.4 boxes I’m finding that (with config sync enabled) the IP addresses are being synced between the two devices - which wasn’t the case with PANOS5.) Perhaps I’m missing something; but there doesn’t seem to be an optimal way to do something as basic as assigning an IP address when using Panorama to manage Active/Active firewall pairs. If only Panorama - within templates that have A/A HA enabled - showed within the interface IPv4 configuration tab two IP address boxes - one for Primary and one for Secondary - allowing one to centrally place the desired IP addresses in a straightforward manner all these strange side effects would go away…. What are others - using Panroama and A/A HA - doing to configure your interface’s IP addresses? Are you happy with your setup? Any experiences or guidance welcome! Cheers, aid
... View more