In this post, I will be walking through configuring Palo Alto High Availability. I will cover setting up failure conditions in a separate post.

We have a pair of Palo Alto VM-100 devices running in EVE-NG. Check out this post on how to get the images running. These are connected to each other using ethernet 1/3 (HA1) and ethernet1/5 (HA2). 

Firewall 1 High Availability settings

The first step is to set the interface type on the two interfaces (Network > Interfaces > Ethernet) to a type “HA”:

The next step is to go to Device > High Availability > General and click on Setup.

Here we are enabling HA and setting a group ID. This needs to match the other firewall in the pair. The mode I am using is Active Passive, and we enter the Peer HA 1 IP address.

Next, we set the Control Link (Device > High Availability > General > Control Link (HA1)). The control link is where we exchange hellos, heartbeats and High Availability state information. It also does management plan sync for routing and User-ID information, and it also over this link that we synchronize our settings with the peer firewall.

I am using 10.104.140.1/24 for firewall 1, firewall 2 will be using 10.104.140.2/24. We don’t need a gateway as they are in the same subnet – but you can, if required, cross subnets. To keep things simple, I am not enabling encryption.

After this, we configure the Data link (HA2) settings (Device > High Availability > General > Data Link (HA2)). I am using eth1/5 and the IP address 10.104.141.1. Again it’s a /24 and we are not crossing subnets, so don’t need a gateway. We are also enabling session synchronization, and the HA2 keep-alive. The HA2 data link is for session synchronization (as you might have guessed by the tickbox), forwarding tables, and IPSec security associations.

One of the firewalls should be the preferred one, the one that will be most active. We do this by setting the priority under Device > High Availability > General > Election Settings. A lower priority is more preferred than a high one.

We are also ticking “preemptive” so that firewall 1 will regain its active state, and “Heartbeat Backup”. The heartbeat is pretty important, so I will quote directly from Palo Alto:

Enabling heartbeat backup also allows you to prevent a split-brain situation. Split brain occurs when the HA1 link goes down causing the firewall to miss heartbeats, although the firewall is still functioning. In such a situation, each peer believes that the other is down and attempts to start services that are running, thereby causing a split brain. When the heartbeat backup link is enabled, split brain is prevented because redundant heartbeats and hello messages are transmitted over the management port.

Lastly, we set the Passive Link State to auto. This reduces the amount of time it takes for the passive firewall to take over when a failover occurs and it allows you to monitor the link state.

Firewall 2 High Availability settings

I am just going to post the pictures here.

Setup:

Control Link:

Active/Passive settings:

Data Link HA2:

Election:

Once both firewalls have had their changes committed, we should be good to go and do some testing.

Testing High Availability

There’s a cool little widget for your dashboards available!

Here is the active node (10.104.140.1):

Here is the passive (10.104.140.2):

All is nice and healthy! So, let’s test.

If we go back to Device > High Availability, we now have a new tab. from here we can suspend the local device:

Once we click on this, we get a warning:

If we click on OK, then the other peer (10.104.140.2) becomes the active member of the high availability group:

You can then unsuspend the first device  (from the Operational commands window) and normal activity will resume.

In the next post, I’ll be setting up some failure conditions and testing them.