Palo Alto PCNSA – Chapter 12 – HA (High Availability) part 1
- 12.1 HA overview
In this video we are covering Pcnsa 210 and this is our chapter twelve High Availability or Ha for short. Now this is the first video of chapter twelve which is 12. 1 Ha overview. Now Firewall High Availability, it is a deployment in which two firewalls are placed into one group. So for example, we place these two firewalls, say group one for example, and they configuration will be synchronized so we can prevent a single point of failure. If one firewall fails, the traffic will go will take through the other firewall. Now they will use a hardbeat connection to make sure that the other firewall is functioning. So setting up two firewalls in H pair will provide you with a redundancy and business continuity. There is actually two modes that we can or two deployments that we can enable.
Firewall High Availability we can have an active passive deployment and we can have an active active deployment. In active passive deployment is one firewall will be active and the other one will stay passive. This passive firewall will make sure that the active is there. If the active fails, the passive will become the new active. So all the traffic will go through the active firewall by default. And if the active fails obviously then they will take the path off through. The passive on active active state is actually two firewalls. Both of them. They are forwarding traffic and they still have it in the heartbeat and checking it at each other, but they’re both sending the traffic. So firewalls that synchronize the configuration, but they will synchronize the networks, the objects, the policies, certificates and session tables.
Now, PA 200 for example, it doesn’t synchronize the session tables, but everybody else yes.They will not however, synchronize the management, interface configuration, High Availability settings logs and then Application and Command Center information. So in our active passive mode for example, which we can look at next is one firewall. It’s actively managing traffic while the other one is synchronized and ready to transition to the active state if the active fails. In this mode, both firewalls share the same configuration settings and one actively managed traffic until the failure occurs. Active Passive High Availability does not increase the session capacity or increase the network throughput. So active passive high availability is supported in virtual wire layer two and layer three deployment.
The other deployment mode that we can have is Active Active, which both firewalls are active and they’re processing traffic. Both firewalls individually maintain the session tables and routing tables and synchronize to each other. The active active configuration primarily is designed to support environment where they require asymmetric routing. Asymmetric routine is where the route takes one path, maybe on exit on return they can take another path. Again, the active active High Availability does not increase the session capacity or network throughput and it’s supported on Virtual Wire and layer three deployment. So we can’t have it as layer two. The prerequisites there is some prerequisites and it’s important that we have covered all of these model.
So we have to have the same model, same panos version only if there is an update we can have a temporary different version. Up to date application URL and thread database high availability interface type like layer three or for example layer two or virtual wire licenses and matching match slot configuration for VM series firewall. Both firewalls must have the same hypervisor and number of CPU cores.
- 12.2 HA components and operation
In this video we are covering Pcnsa 210 and this is our chapter twelve High Availability or Ha for short. Now this is the second video of chapter twelve which is 12. 2 Ha Components and Operations. Now in active passive High Availability link we do require a control link which is our layer three link and it does require an IP address. So as you can see there. Now control links, they’re also known as Ha links or Control link. It is a layer three link and it does require an IP address and is located in the management plane. Now this control link will be used to synchronize the routing tables and user ID information between the management planes. And once we elect the active and passive firewall, the active firewall will also use this link to synchronize configuration changes with its own peer.
Now, we do require another link which is known as a data link. And data link is also an HC two is known as Ha Two link. This could be layer two or layer three link and it’s located on the data plane. Now, data link will be used to synchronize sessions, forwarding tables, IP security associations and op tables between the firewalls in Hayj player. Now we need to remember that it is a uni direction link and it will come from active firewall towards the passive firewall. Now some firewalls they will have actually dedicated Haj links or Ha ports. For example, as you can see here in the series PA 803,000, 3000, 205,007 thousand series they will have a dedicated Ha One port and Ha Two port.
So Haj One was a controlling Ha Two data link, management plane, data link. Some firewall series, they don’t have a dedicated Ha port. For example PA 200, 500 and Virtual machine series, they don’t have it. But we can use a management port or physical port as a controlling and a physical port as a data link. Just remember that if the port like the management port is configured as the DHCP client, then Ha One and Ha Two are not supported. Now this ports for example Ha One and Hat really we do want to have them backed up in either dedicated or non dedicated. We want to have them backed up. For example, we have a Ha One which is a backup and Haj Two has its own backup and non dedicated.
he reason is because we want to avoid a split brain scenario where split brain scenario will occur if for some reason the non redundant controlling. So if for example, if we don’t have this Hak One any redundancy we’re not using, so we don’t have this redundant and it goes down, down for some reason but the firewall is actually still working functional. Now, because this goes down, we don’t hear any heartbeats and because we don’t hear any hard beats, the passive firewall will think the active firewall is down and it will become the new active firewall. And that causes a split brain scenario and dedicated and redundant management plane control link will avoid this scenario.
Now PA 7000 series high availability links will mandate to use a specific port on the switch management card called SMC for Ha one this is known as Haj one A and a backup will be Ha one B as a backup and we will use a high speed chassis interconnect ports therefore data link. So we have A and B there designating an active firewall. Now one of the firewalls in active passive mode one of the firewall obviously will be active and the other one will be passive. You can leave it by chance. You can leave it to them to fight it themselves. Between themselves, the default priority is 100. So if you don’t change anything, they will choose which one will become active, depending on whoever’s got the lowest Mac address.
If you want to decide I want to decide this firewall to be the active and this one to be the passive. Then to this firewall I will change the priority to something lower number. So from 100 I can even go to 99. That’s enough. And that will be my active firewall, and this one will be passive. Now, active firewall will stay active for as long as there is no failure if there is a failure the active firewall will go down obviously and this passive firewall will notice because of the heartbeat and it will notice and this will become the new active and this is failed. But what happens when this comes back online? If you want this firewall to become active again and to run through election again you have to enable the preemption which is not enabled by default.
If you have preemption enabled then this firewall once it’s online it becomes active right away and this one will switch back to passive. Now, failure detection a firewall uses several monitored meat metrics to detect the failure. For example, the first metric that we could use is the hello messages and hardwoods to verify that the peer firewall is responsive and operational. We can also monitor the link states of the physical interfaces. For example, imagine that this firewall is active and this firewall is passive. Now, this firewall wall is active. All the links are good. All the links are good and we want to monitor them. For some reason, if one link fails, we want to fail this as active. Go to passive and this will switch to active. So that’s why you’re monitoring physical links.
We can also monitor path or mission control IP addresses using pings. For example in this scenario imagine that this firewall is active and this one is passive, right? And we want it to as long as we can ping this DNS, it could be a DNS server as long as we can ping that DNS server this we want to be active if there is a failure we can’t ping that DNS server. That’s a mission control IP address. We can’t ping that. Then we want this and the passive can ping it. We want this to switch to passive and this goes to go to active. So this is a mission control path testing. And then the next one. Failure can occur when an internal health check fails.
Some of the series, like 3000, 5007 thousand can check the internal health check, making sure that everything inside is fine. And if that’s a fail, then there will be a failure detection. Now the timers, there are seven different timers and they are preset. So there are two profiles called recommended profile and aggressive profile which they will auto populate the timers or the seven timers to optimum value depending on your firewall model. But if you want to change them and have a control of what timers are there, then you can do them with advanced settings. So we switched to the advanced set things and then we can change the timers ourselves. The heartbeat backup on management port.
Now again, a heartbeat backup on the management port will help prevent the split brain scenario. And obviously we can enable it on the management port as a backup for the heartbeats. And if we do that because the heartbeat is a ping, we need to allow the ping on the management interface.
- 12.3 Active-Passive HA configuration
In this video we are covering Pcnsa 210 and this is our chapter twelve High Availability or Ha for short. Now this is the third video of chapter twelve which is 12. 3 active Passive High Availability configuration. Now this is a laptopology that I will be using to demonstrate High Availability configuration for yourself. And I have access to two firewall, firewall A and firewall through management IP address 192-168-1254. That’s Firewall, firewall A and two five three semi SEM network for Firewall B. And I will use that management interface as my control link between the two firewalls. I will put them into one group. So group twelve for example, this is firewall one and two, that’s group twelve. And Firewall A will be the active firewall with lower priority, well, better priority.
So I will lower it to 80 and preemption will be enabled and Firewall B will be a passive firewall and preemption here will be enabled. We have to make sure that everything is okay. The module is okay, the version is okay, the license are same for it to work. Okay, so I’m going to access my firewalls and I’m just going to show you my two firewalls. I have firewall A, that’s 192-1681, dot two five, four and then firewall B, that’s 192-168-1253. So the first configuration that we need to do to prepare these two firewalls is actually create an interface which is going to be working for our data link or Ha two interface. For Ha one or Control Link interface, I will use my management port as these are virtual firewalls. I don’t have a dedicated Ha interface.
So to create a High Availability interface I need to go to Network and in there on the interfaces I’m going to select this one six. That’s going to be my High Availability interface. For data link. See one six here and I’ll choose that as just interface type. I’ll put Ha for high availability. Nothing else. I can’t put an IP address or anything like that. Just click okay here and then I’ll do the same for Firewall B. So I’ll go to Network and Ethernet and go to 116 and put that as High Availability interface. Okay, so our interfaces is done. So the next thing to do is actually start configuring High Availability. For that we need to access under device and then the second entry there is High Availability. So under the general on the setup we have to enable High Availability first.
So click on the gear icon on the setup gear icon and then enable it. You see the group can be from one to 63. So I’ll put the group as twelve, right? Description? Well, I can just write active passive high availability here. As you can see the mode, they can be active passive which one router? Sorry. One firewall will process traffic like normal and the other one will just be like in the passive state. Wait for the active to fail and then it will take over or we can have active active which both firewalls will process traffic. So active passive enable configuration and Peer high Availability so peer is a neighbor IP address so Ha one. So if you look at it we are configuring firewall A and in there we need to add firewalls BHA one interface which is this one, the IP address.
So I’m going to put here 192-168-1253 and click OK so now the firewall now is enabled the high availability so we need to configure the next thing that we need to configure is the Haw control link. So by default I don’t need to change anything here but I just want to show you that because we are using the management port but we could be using another interface. For example if we enable an interface, different interface on network like we did one six, we could have used that one but no, we are using the management port so that’s fine. There’s nothing configuration here. I don’t need to enable encryption and monitor whole time. I can leave it to default, which is 3000 seconds milliseconds I should say.
Okay, the next thing we need to configure it’s H 82 or the data link interface. So for that. So I’m going to enable the session synchronization. And the port is the one that we just created, ethernet 116. And the IP address of that port is one 7216 twelve one and it’s 255-255-2550. The subnet mosque and the gateway I don’t need to put here, but only if you for example, if the data link ports are in different subnets, then the gateway is important and transport, I’m going to leave it. Ethernet, I can have an IP or UDP. So Ethernet and I don’t need to change anything for Ha to keep alive. I don’t need to configure that at all. Okay, I will do the same configuration now, but in firewall B.
So if I go to firewall B and go to device so first I enable high availability. So under the gear here, if you remember, enable and they have to be in the same group, so I’ll put twelve, I have to put twelve here as well. And then the peers IP address for firewall B is the firewalls A IP address. So one nine 2168-125-4254. Okay. And again for Haw we don’t have to configure anything because it’s already set to management. Port and Ha two, which is our data link. I’m going to configure the port that we just created for Ha. So here the IP address of that port is 19216 812 two and the gateway or the mask is 24 and everything else the same, just keep it the same.
Okay?So the next thing we need to do, we need to say who is going to be our Active? Well, we don’t need to do it. If we don’t do anything they’re going to have a default priority and then the one with a lower mac address is going to win. But I want the firewall A to be my active firewall. So I’ve go there and choose, for example, election settings. You can see the device priority 100. So I need to change that to say something else, something less than 100. So 80, for example. And then this will be the active firewall preemption is enabled, heartbeat backup, for example. This is to make sure that if the management interface that we’re going to use for heartbeats it goes down. Do I have a backup there? And the high availability timers there’s two recommended and aggressive these, they will populate it themselves automatically.
Or we can choose advanced and we can add our own timers here, whatever we want. For example, promotion, hold time, hello intervals, heartbeat intervals and so on. But I’m just going to leave it to default, which is recommended and click okay. Now I’m not going to change election settings on the other side. I’m just going to leave on this firewall, I’m going to leave to priority 100 and this firewall will win because it’s got less better priority. And then active passive settings, for example. So passive link can be shut down, that’s layer one and layer two, or it can be auto what is actually not shut down, but it’s just disabled and we can monitor the fail, hold down time, for example, how many minutes before we take over just to avoid the flapping of the devices going down.
Click okay, I’m going to do that same for firewall B as well. So active passive settings I’m going to go to and set it to auto. The next thing I’m going to configure is the link and path monitoring for firewall A. For example, say I want to monitor my links, for example, if some interface goes down, then I want this to be treated as a failure. And then other firewall who is a passive mode will take over. So link monitoring, for example, I’ll add a new one, I’ll just call it link monitor. And any failure condition, this is enabled by default. Failure condition, that means are all. So for example, if I put all these interfaces and say any of these interfaces goes down, that’s going to be treated as a failure. Or I have to wait for all interfaces to go down to be treated as a failure.
So link failure, link failure. So no, I’m going to say any interfaces, any of these interfaces goes down, that’s a link failure and click okay. And path monitoring, for example, say that I do want to ping some destination. So say I want to ping any important like a DNS server or something. If I can’t ping it, then that means something’s wrong and I want to switch to my passive firewall to become the active firewall. So I’ll use a lab VR as a virtual router and I’m going to ping these destinations. So as long as I can ping that DNS, it’s all okay. And the same mobile do for Firewall B. So I’ll do a link and path monitoring. So I’m going to monitor, link, monitor, and any of the interfaces I’m going to monitor, any of these interfaces goes down.
It’s considered as a failure, right? Let me just remove this, okay? And then the path monitoring again, I can use it for path monitoring at the virtual wire path, VLAN path or virtual router path. So that’s what I’m going to do. I’m going to add the virtual router path. So I’m going to add my virtual router here and I’m going to monitor again that DNS. Or you can put any IP address as long as it’s pingable, it’s okay, it’s no failure. And click OK. And that’s it. That’s our configuration done for both of the Firewall. I’m just going to commit them and then we’re going to have to view what we have. Okay, commit has completed successfully on Firewall A.
So let’s go to Firewall B and check it. Firewall B is successful as well. There’s some errors here, some warnings, but it’s fine. It’s about EDL external dynamic list. I’m going to close that. So to monitor, I need to go to Dashboard and add on the widget for High Availability. So as you can see, High Availability is not working. We got Ha one is up, H A, two is up, plug in VM series is matching. But the problem here is the license to go to Dashboard and then add the widget for High Availability. So more the active passive functional VM license mismatch with the peer. So that’s the problem. So because the license is mismatched, the rate is not working.
Non functional license mismatch with the peer, you can see the peers IP address. And the problem is that this Firewall A is licensed VM 50 licensed, but Firewall B has got not licensed. So there’s no VM license here. So for that reason, we don’t have a High Availability. If it was licensed correctly, that would be the configuration. You can see the Haj one and Two is up. And all this app version, thread version, antivirus version, all of these are not matching. But the problem again with the license, because we don’t have a license on this Firewall, that’s why it’s mismatched. But if you had the license, it will be matching and the Firewall, the High Availability will work.