Palo Alto 10.0 firewall in HA in Azure

cancel
Showing results for 
Search instead for 
Did you mean: 

Palo Alto 10.0 firewall in HA in Azure

L1 Bithead

Hi, 

 

We are trying to test VM series firewall in HA without load-balancer and following the documentation listed on PA website, can someone confirm if the document is well tested and we are seeing issues in connectivity and Template for secondary firewall is not clearly identified. Please let me know if there is any working template for HA.

 

Also I want to use my own public IP from my own organization so is it possible use it or not, please point to any relevant documentation if it supported or not, I heard people advise to use Loadbalancer solution instead standard HA ?Please advise as we would prefer standard HA .

 

 

Regards,

Sam

4 REPLIES 4

L3 Networker

Hi @sameer.ahmad 

 

here are the official document from Palo Alto about the configuration of native HA https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-the-vm-series-firewall-...

 

We tested it already several times and it is working but you have to know that failover time is around 3 - 10 minutes because of the API calls on the Azure side. We can't speed up that process.

 

Our recommendation is always to use Azure Load Balancers, then you get better SLA's and higher resilience.

 

Regards,

Torsten 

"With unity we can do great things"

Thanks Tostern, is there a working template for Secondary firewall. Also I see in some documents we need to add route tables in Azure , can you clarify on it ?

 

Also which permissions we need to add like Secondary HA , UDR or all. If we just add permission using Secondary HA is it sufficient.

@tostern : Also is there a specific guidelines if we can assign our own public IP instead of Azure IPs to Palo Alto firewall. If we cannot assign it where it is specified in the docs.

 

 

Thanks

L1 Bithead

Sameer:  

 

Here is a community supported template that does HA faster than the normal API method Torsten described.  Some customers have tested this and liked it.  The design still uses load balancers though so this would only be used in the event that you had a driving reason to run active/passive.

 

https://github.com/PaloAltoNetworks/azure-terraform-vmseries-fast-ha-failover

Scott Thornton
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!