04-10-2021 01:14 AM
Hi all
Understand PA HA deployment supported since PAN-OS 9.0, so firewall pair can be deployed in the availability set so they are in different hardware cluster in Azure. But may I know anyone tried to form the HA in different availability zone in the same Azure region? Support or not?
Best regards
Alex Tsang
04-12-2021 12:22 PM
We recommend deploying firewalls in separate AZs or at least put them into an Availability Set in Azure. HA mode is supported as well but not typically recommended. The load balancer method is recommended. You can see both setups in our reference architecture guide. https://www.paloaltonetworks.com/resources/guides/azure-architecture-guide
06-21-2021 09:31 PM
From what i can see, the issue is that the VM-series firewall available from Azure Marketplace does not facilitate choosing an Availability Zone. And once the firewall is created, there is no reasonable way to move it into an AZ.
06-21-2021 10:47 PM
I would also like to know how to install it as the only method of deployment in Azure I know of is through marketplace..
Or is there some kind of ovf file provided which we can use for installation.
06-21-2021 11:13 PM
Good morning @raji_toor and @JimMcGrady
The Azure Marketplace offering has limited features and you can't deploy two firewalls over the marketplace in a single Ressource Group.
That why we are using Terraform templates or ARM templates. Below are the link to the ARM Templates with the examples how to use it.
ARM Templates: https://github.com/wwce/azure-arm
Terraform provider: https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/azurerm/latest
How to setup HA in Azure: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-...
i hope i could help you.
Regards,
Torsten
06-22-2021 08:24 AM
@tostern Thanks. But PA needs to better their documentation regarding Azure deployments. While the Github mentions 3 models (Shared, Scaled and Dedicated). There is little explanation for each them and also there is no mention of them in the design guide. I understand and have tested implementation of both options with HA/without HA(load balancer) options. From what I understand the template I will use is shared model here and Transit VNet model (Common Firewall Option).
And I had got it working in HA without ARM template for those who are not comfortable using it. Install in dedicated resource group and then move the resources to another resource group where you want both firewalls to be.
06-22-2021 09:34 AM
And interestingly we get the pricing for a 2vCPU deployment but azure VM does not support more than 2 NICS, if i try to deploy with arm template a VM with 2 vCPU.
06-22-2021 01:18 PM
Great to hear the recommended architecture.
What's the reason you say HA is not recommended?
And why do you recommend load balancer over floating IP?
06-22-2021 04:22 PM - edited 06-22-2021 04:28 PM
@US_SOC_Analyst because of 3-4 minutes downtime when doing failover, with failover its alomost instant..no session persistence with either.
Also have to maintain a servie principal which has to be renewed every 2 years
06-22-2021 04:29 PM
Thank you for your response.
>No session persistence with either.
Does this mean if we have HA configured firewall, the session is not shared between the HA pair?
That sounds pretty weird, then what's that HA configuration for?
06-22-2021 11:58 PM - edited 06-23-2021 12:02 AM
Sessions are synced but if you failover from active to passive it takes 3-4 mins for other firewall to become active and the network remains down all this time. After this much time session persistence is pointless. Its a limitation of Azure that HA can't work the way it would on physical network.
06-23-2021 12:35 AM
Hi @US_SOC_Analyst,
you can find the the reference architecture here.
PANW does not recommend native HA in because of the long failover time as @raji_toor already described. With LB sandwich you have better resilience.
Regards,
Torsten
06-23-2021 08:31 AM - edited 06-23-2021 09:28 AM
Thank you for the clarification.
Then, is HA recommended when we use a load balancer for failover?
06-23-2021 10:08 AM
@US_SOC_Analyst no you do not need to use HA for LB option. LB will itself divert all traffic to the other PA when one becomes unavailable.
06-23-2021 11:36 AM
@raji_toor Thank you. Sorry I was mixed up. Yeah, the LB will divert the traffic and a new session will be created anyway when the traffic is sent to a different firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
