Skip to main content

High Availability Palo Alto (Active/Standby)

 High Availability is usually performed in most of the data centers networks today which ensures application availability . High Availability is usually achieved in case one of the appliance goes down or have some physical or logical connectivity issues. 

Achieving high availability in Palo Alto firewall is relatively very easy. Palo Alto firewall can work in both Active/Standby mode or in Active/Active. We will basically be talking about Active/Standby mode in this article. There are basically two links that needs to be configure in Palo Alto for HA.

1. Control Links

Control Links are associated with control plane traffic which is mainly used for heartbeat exchanged, configuration synchronization. Dedicate HA ports are available in higher series of Palo Alto or even a HA interface can be created for some inband ports.  

2. Data Links

Data Links are mainly used for session synchronization, forwarding table synchronization. Dedicated HSCI Ports are available for higher end Palo Alto  whereas as mentioned earlier inband ports can also be used. 


3. Backup Link

Backup Link can be configured for both Control Link (HA1) and Data Link (HA2). Backup Links is also important incase of primary link going down.

1. Configuration
  • Control Link  needs to be configured with a point to point IP and Data Link can be configured with IP, ethernet or UDP as a transport connection.
  • Group ID also needs to be mentioned with group id being same on both the boxes.
  • Mode will be Active/Passive.
  • Device Priority with lesser number will be in active state.
  • Preemption must be enabled only on the primary device.
  • Inband data ports can also be as High Availability ports for control link , data link as well as for backup links
1.1 SETUP 
1.1.1 PA- PRIMARY 


1.1.2 PA-SECONDARY



1.1.3Control Links - PA Primary

1.1.4 Control Links - PA Secondary

1.1.5 Data Links - PA Primary

1.1.6 Data Links - PA Secondary


Configuring High Availability in Palo Alto  is relatively very easy. Main thing is grabbing the basic theoretical concept of how HA works. There are also things like Link and Path Monitoring in High Availability which is quite awesome and will talk about it in some other blog. Let me conclude my blog here as it is getting quite lengthy.



Comments

Post a Comment

Popular posts from this blog

SAN Switch Zoning with Brocade

Zoning in Brocade SAN Switch Let's begin with resetting the switch completely. In my environment I have two brocade SAN Switch connecting to 2 Dell R940 server configured with VMware. The SAN switch will be having connectivity between Dell Unity 500 storage and Dell R940 servers. Multipathing will be done between the server and storage with the help of SAN Switch. Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage device that supports. It results in better fault tolerance and performance enhancement. DESIGN The idea behind zoning is that intended WWPN talk with each other . This is more like ACL in the world of Ethernet. To see the devices which are logged into the switch the following commands can be executed. SAN-A:admin> switchshow switchName: SAN-A switchType: 118.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: 1 switchId: ...
Post a Comment
Read more

Device Mapper Multipath with LVM in Oracle Linux

This blog describes you the step by step procedure for configuring multipath in liunx using Device Mapper and will also help you understanding what Device Mapper is. Simply stating Device Mapper is an interface to Linux Kernel which helps us to configure multiple I/O path between the server and the storage arrays.  Device Mapper interface allows the linux kernel to communicate with LVM Logical Volumes, EVMS Volumes , Software RAID, multipath and many other solutions. Multipathing is a must for all those mission critical applications as we all know that data is the most important thing in an enterprise network . Let me now share the installation process for multipathing. Installing Device Mapper #yum install device-mapper-multipath -y #rpm -qa | grep device-mapper Enabling Multipath #cp /usr/sare/doc/device-mapper-multipath - */multipath.conf   /etc/multipath.conf #mpathconf -enable -user_firendly_names n #modprobe dm_multipath #lsmod | grep dm_multip...
Post a Comment
Read more

Upgrade Catalyst C9500

Upgrading Catalyst 9500 series switch is relatively easy. The one that I'm going to upgrade today is on Install mode containing packages.conf file. Install mode consumes far less resources in compared to the traditional bundle mode and has some advantage like auto upgrade when configured in stacked mode. We can talk about the difference between bundle and install mode later on. Let's focus on upgrading the Catalyst 9500 switch. Switch I am trying to upgrade is in 17.03.03 which has some bugs and security vulnerabilities. I am upgrading it from 17.03.03 to 17.6.5(MD) golden image present in the cisco download site for C9500 series switch and also reading down the linked document from cisco that is what they recommend. You can have a look at it . https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/221498-recommended-releases-for-catalyst-9200-9.html We will first need to create FTP username and password in the switch. The username and password must b...
1 comment
Read more