High Availability configuration on Palo Alto firewalls

In this post, I will be walking through configuring Palo Alto High Availability. I will cover setting up failure conditions in a separate post.

We have a pair of Palo Alto VM-100 devices running in EVE-NG. Check out this post on how to get the images running. These are connected to each other using ethernet 1/3 (HA1) and ethernet1/5 (HA2). 

Firewall 1 High Availability settings

The first step is to set the interface type on the two interfaces (Network > Interfaces > Ethernet) to a type “HA”:

Palo Alto High Availability interface settings

The next step is to go to Device > High Availability > General and click on Setup.

Palo Alto High Availability set up

Here we are enabling HA and setting a group ID. This needs to match the other firewall in the pair. The mode I am using is Active Passive, and we enter the Peer HA 1 IP address.

Next, we set the Control Link (Device > High Availability > General > Control Link (HA1)). The control link is where we exchange hellos, heartbeats and High Availability state information. It also does management plan sync for routing and User-ID information, and it also over this link that we synchronize our settings with the peer firewall.

I am using 10.104.140.1/24 for firewall 1, firewall 2 will be using 10.104.140.2/24. We don’t need a gateway as they are in the same subnet – but you can, if required, cross subnets. To keep things simple, I am not enabling encryption.

Palo Alto High Availability control link settings

After this, we configure the Data link (HA2) settings (Device > High Availability > General > Data Link (HA2)). I am using eth1/5 and the IP address 10.104.141.1. Again it’s a /24 and we are not crossing subnets, so don’t need a gateway. We are also enabling session synchronization, and the HA2 keep-alive. The HA2 data link is for session synchronization (as you might have guessed by the tickbox), forwarding tables, and IPSec security associations.

Palo Alto High Availability data link settings

One of the firewalls should be the preferred one, the one that will be most active. We do this by setting the priority under Device > High Availability > General > Election Settings. A lower priority is more preferred than a high one.

Palo Alto High Availability election settings

We are also ticking “preemptive” so that firewall 1 will regain its active state, and “Heartbeat Backup”. The heartbeat is pretty important, so I will quote directly from Palo Alto:

Enabling heartbeat backup also allows you to prevent a split-brain situation. Split brain occurs when the HA1 link goes down causing the firewall to miss heartbeats, although the firewall is still functioning. In such a situation, each peer believes that the other is down and attempts to start services that are running, thereby causing a split brain. When the heartbeat backup link is enabled, split brain is prevented because redundant heartbeats and hello messages are transmitted over the management port.

Lastly, we set the Passive Link State to auto. This reduces the amount of time it takes for the passive firewall to take over when a failover occurs and it allows you to monitor the link state.

Palo Alto High Availability passive link state settings

 

Firewall 2 High Availability settings

I am just going to post the pictures here.

Setup:

Palo Alto High Availability firewall 2 setup

Control Link:

Palo Alto High Availability firewall 2 control link

Active/Passive settings:

Palo Alto High Availability firewall 2 active passive settings

Data Link HA2:

Palo Alto High Availability firewall 2 data link settings

Election:

Palo Alto High Availability firewall 2 election settings

Once both firewalls have had their changes committed, we should be good to go and do some testing.

Testing High Availability

There’s a cool little widget for your dashboards available!

Here is the active node (10.104.140.1):

Palo Alto High Availability widget

Here is the passive (10.104.140.2):

Palo Alto High Availability widget 2

All is nice and healthy! So, let’s test.

If we go back to Device > High Availability, we now have a new tab. from here we can suspend the local device:

Palo Alto High Availability suspend local device

Once we click on this, we get a warning:

Palo Alto High Availability confirmation

If we click on OK, then the other peer (10.104.140.2) becomes the active member of the high availability group:

Palo Alto High Availability suspension

 

You can then unsuspend the first device  (from the Operational commands window) and normal activity will resume.

In the next post, I’ll be setting up some failure conditions and testing them.

2 Comments

  1. tony December 12, 2019