How to configure passive HA Panorama ethernet interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to configure passive HA Panorama ethernet interface

L1 Bithead

We are currently deploying two Panorama M-series appliances with active/passive configuration. The expected interface configuration will be like this:

Active/Primary Panorama:

Management: 172.20.1.11 (only for Panorama management access)

ethernet1/1: 10.20.5.100 (for device management, log collection, etc.) > devices will be connected to this interface

Passive/Secondary Panorama:

Management: 172.20.1.12

ethernet1/1: 10.20.5.100 (if possible to use same IP as primary) OR 10.20.5.101 (if different IP is required)

 

The issue is the ethernet1/1 options on the passive Panorama are greyed out and we cannot configure anything on it.

 

My question is, is it possible to configure ethernet interface on an M-series Panorama in passive HA configuration? If possible, then how is the behavior of the ethernet interface:

1. The secondary Panorama ethernet1/1 interface will be disabled due to passive mode, and automatically enabled when the appliance becomes active mode (just like HA on firewalls)

2. The secondary Panorama ethernet1/1 interface is enabled all the time regardless of active/passive mode (in this case we will use different eth1/1 IP on primary and secondary to prevent IP conflict)

3. Primary and secondary Panorama ethernet interfaces configuration are synced between each other.

 

Thank you.

 

Model: Panorama M-600 (x2)

SW version: 10.1.4-h4

 

Panorama 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Thank you for the post @KNau

 

I do not have this exact same setup in my environment, however by looking into documentation, you should make these changes from active Panorama. Please refer to this document, STEP 3 >> (HA only) Configure the interfaces on the passive Panorama management server.:

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-m-series-a...

 

I think selecting the checkbox: Device Management and Device Log Collection is what you need to meet your requirement.

The reason why you can't make this change on Panorama passive node is feature limitation. Only Device Deployment is supported. Options to enable Device Management and Device Log Collection and Collector Group Communication are therefore gray out.

 

Regarding the IP address you configure on interface 1/1, you should use different IP address than what you configured for interface 1/1 on Panorama active node. From 3 options you mentioned,  the option 2 is from my point of view correct answer.

 

After you make these changes, do not forget to commit it to Panorama and push the changes to log collector group.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Thank you for the post @KNau

 

I do not have this exact same setup in my environment, however by looking into documentation, you should make these changes from active Panorama. Please refer to this document, STEP 3 >> (HA only) Configure the interfaces on the passive Panorama management server.:

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-m-series-a...

 

I think selecting the checkbox: Device Management and Device Log Collection is what you need to meet your requirement.

The reason why you can't make this change on Panorama passive node is feature limitation. Only Device Deployment is supported. Options to enable Device Management and Device Log Collection and Collector Group Communication are therefore gray out.

 

Regarding the IP address you configure on interface 1/1, you should use different IP address than what you configured for interface 1/1 on Panorama active node. From 3 options you mentioned,  the option 2 is from my point of view correct answer.

 

After you make these changes, do not forget to commit it to Panorama and push the changes to log collector group.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Thank you for answering and sorry for the late response @PavelK 

I have tried the second method on the production Panorama (by applying different IP on secondary Panorama) and it worked successfully, and now I could deploy the firewalls that connects to both active and passive Panorama.

 

Thank you!

  • 1 accepted solution
  • 2591 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!