This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Palo Alto 10.0 firewall in HA in Azure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto 10.0 firewall in HA in Azure

sameer.ahmad
L1 Bithead

‎09-21-2021 11:13 PM

Hi, 

 

We are trying to test VM series firewall in HA without load-balancer and following the documentation listed on PA website, can someone confirm if the document is well tested and we are seeing issues in connectivity and Template for secondary firewall is not clearly identified. Please let me know if there is any working template for HA.

 

Also I want to use my own public IP from my own organization so is it possible use it or not, please point to any relevant documentation if it supported or not, I heard people advise to use Loadbalancer solution instead standard HA ?Please advise as we would prefer standard HA .

 

 

Regards,

Sam

0 Likes Likes
4 REPLIES 4

tostern
L3 Networker

‎09-21-2021 11:56 PM

Hi @sameer.ahmad 

 

here are the official document from Palo Alto about the configuration of native HA https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-the-vm-series-firewall-...

 

We tested it already several times and it is working but you have to know that failover time is around 3 - 10 minutes because of the API calls on the Azure side. We can't speed up that process.

 

Our recommendation is always to use Azure Load Balancers, then you get better SLA's and higher resilience.

 

Regards,

Torsten 

"With unity we can do great things"
0 Likes Likes

sameer.ahmad
L1 Bithead
In response to tostern

‎09-22-2021 06:59 AM

Thanks Tostern, is there a working template for Secondary firewall. Also I see in some documents we need to add route tables in Azure , can you clarify on it ?

 

Also which permissions we need to add like Secondary HA , UDR or all. If we just add permission using Secondary HA is it sufficient.

0 Likes Likes

sameer.ahmad
L1 Bithead
In response to sameer.ahmad

‎09-22-2021 07:02 AM

@tostern : Also is there a specific guidelines if we can assign our own public IP instead of Azure IPs to Palo Alto firewall. If we cannot assign it where it is specified in the docs.

 

 

Thanks

0 Likes Likes

sthornton
L2 Linker

‎09-23-2021 03:08 PM

Sameer:  

 

Here is a community supported template that does HA faster than the normal API method Torsten described.  Some customers have tested this and liked it.  The design still uses load balancers though so this would only be used in the event that you had a driving reason to run active/passive.

 

https://github.com/PaloAltoNetworks/azure-terraform-vmseries-fast-ha-failover

Scott Thornton
0 Likes Likes
  • 3917 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks