Palo Alto PCNSA – Chapter 12 – HA (High Availability) part 2
- 12.4 Monitoring HA state
In this video we are covering Pcnsa 210 and this is chapter twelve, High Availability or Ha for short. Now this is the fourth video of chapter twelve which is 12. 4 monitoring High Availability State, active passive, High Availability payer startup. So the firewall, once it boots, it will check the health status if it’s okay, if the health status is not okay, then it will go to the non functional state. If it’s okay, then it will move to initial state. In initial state it will look for the peers. So finding out the peers and in there it will stay for 60 seconds to try and find the peer. If in that time the peer is not found, then it will go to the active state. If the peer is found, then it will start negotiating with the peer. So the first thing it’s going to check if the configuration is mismatched.
So if we have a configuration mismatch then we will go to the non functional state. If the configuration mismatch is there is no configuration mismatch and we have fine configuration. We will check the higher device priority or whoever’s got a better device priority. You know, the default priority was 100 and the lower number than that is a better device priority. So if we have a better device priority then we’ll go to active state. If it’s worse device priority then we will move on to passive state. And another state is when the administrators for some reason has suspended the firewall for testing or something. We have a suspended state. So these are the five states that we have to remember. We have a non functional state and if this state is error so if there’s a problem it’s going to be a non functional state.
Initial state is when we boot and we’re trying to find the peers and for 60 seconds if we have a not found appear, then we’ll go to active state. If for some reason we have worse device priority then we’ll be in a passive state and we monitor the active state and another state is a suspended state where the administrator has suspended a High Availability. So these are the states or initial. The firewall remains in the state after boot up until it discovers appear and the negotiation begins. We have active state which is normal traffic handling state. We have a passive state which is normal traffic is discarded. But my process link layer discovery protocol and logical aggregation control protocol traffic suspended is where administrator has disabled the High Availability and non functional is where we have error.
We can look at the states of the individual firewall High Availability pair and we can monitor them from the Dashboard tab. We just have to add the Widget for High Availability and they will display it in the color coding which is green means good, yellow passive and red critical. Now for example, if we need to troubleshoot the High Availability configuration we have to look at the system log which will be located under we have a monitor so we have to go to monitor, we have to go to logs and system we can like filter by subtype equal to high availability only. So we see only high availability type of logs and this is what we see in here is just a normal typical entries recorded during active passive high Availability payer initialization.
- 12.5 Lab Active-Passive High Availability
We are covering Pcnsa 210 and this is our chapter twelve High Availability or Ha for short. Now this is the fifth video of chapter twelve, which is 12. 5. Our lab about active passive High Availability configuration. What we’re going to do in this lab. We’re going to configure a dedicated High Availability interface which we’re going to be using it for as a data link. And we’re going to configure active, passive high availability. Availability? And then we look at the dashboard. We look at we add the widget first, and then we look at High Availability configuration. Is it working or not? Where we observe the behavior in there. So this is a lab topology that I will be using to demonstrate High Availability for you.
And I will have access to two firewalls. I have a firewall A here and a firewall B and I will access firewall A from this management interface, 192-168-1254 IP address and we’re going to be using that as a Ha one or control link. Our management interface, firewall B is 192-168-1253 and again that will be used as Haj One or control link. Then I will create a dedicated High Availability interface and that will be used as Ha Two and the dedicated interface will be E one four six that will be used as Ha Two or data link. We’ll give it an IP address. So one 7216 twelve one will be for firewall A and one 7216 twelve two for firewall B. Our firewall A will be the active firewall because we get the priority to 80 and we’ll enable the preemption.
So the firewall B will have a default priority of 100 and the preemption will be enabled as well. Okay, so there’s quite a few things to do. So let me go to the firewalls, both of the firewalls and show you. So this is my firewall A, so I have access to 192-168-1254 and then we have a firewall B 192-168-1253, same as what we have here. Okay? So first thing that we need to configure is that enable an interface for High Availability which will be used as a data link interface or Ha two. So for firewall A I’ll go to Network and then interfaces and I’ll choose one six and in here I’ll just put it as a type Ha two. So interface type Ha two. Nothing else. I can configure a comment wall in production. You put a comment in there, that’s it.
I don’t need to give an IP address or anything, just click OK here and then I’ll do the same for firewall B. So I’ll go to firewall B network and then interface and I’ll enable that as a not tap interface Ha two or just Ha sorry, that’s it, interface type Ha and click OK. So I got firewall B has got interface one six as a Ha and the firewall A has got same one six H a interface. And this is again, if you look that will be Ha Two data link. We’ll use it for data link. Okay? The next thing we need to do is we need to actually enable the High Availability. And to do that we need to go to Device and then go to the second entry will be is a High Availability. And in the general tab I have to go to Setup and I enable it here. So by default it’s not enabled.
You see enable h A So I’ll take that and group you can see that from One to 63, the group has to be the same. So we can choose the same group. Anything else put here. So one, two as parallel one and two description will put whatever you want. But I’m just going to say active passive Ha and you can see the mode. We can have active passive, that’s what we’re going to be using. Or we can have Active active mode. No, I’m going to choose Active passive leave to Active for future lessons, more advanced Palo Alto lessons. And we’re going to enable configuration synchronization. And then we need to tell the Ha One IP address.
So what is looking for now is, you see, Ha One is controlling the peer IP address, which is this one here, 192-168-1253. So here I need to put 192-168-1253. I’m not going to have any peer or our neighbor doesn’t have a backup H One. So I’m going to leave that to empty. Click okay. And I’ll do the same for Firewall B. So I’ll go to Firewall B and go to Device and then High Availability General I will enable it there. So enable the group same twelve, leave the description, you can put whatever you want active and passive. And the peer hit one IP address. Now he’s looking for this IP address. So firewall B. The peer is Firewall A with that IP address. So one nine, two sorry, yeah, 192168, dot one, dot two five four is the IP address and click okay.
Now the High Availability is enabled and we just need to configure other stuff like other settings. For example, data link and control link. Well, next step is the Control Link controlling or H A one we can configure the control links to be. If it’s dedicated, we’ll put it here, or if it’s some interface, we have to enable it. But by default we’re going to be using our management port, which is already here configure. So we don’t need to really change anything. And encryption, I’m not going to enable it and monitor the whole time. I’ll leave it to default. Now I’ll do the same. Well, I’m not doing anything, I’m just verifying. Yeah, so Firewall A now Same is a management interface that’s going to be the control link.
Ha One is a management interface and for Ha Two, as you can see, H A two data link is the interface e one, four, six and that’s the IP address. So on. Firewall A, you can see data link Ha two. I’ll configure that I will enable the session synchronization and the port is the one that I created. One, four six. That’s my H A two. And the IP address for this is going to be 170, 216 twelve one. And I’m picking this just from same network. Any private address where you can really pick your own one. It doesn’t have to be what I’m trying to say that it doesn’t have to be this address. You will use a gateway. If the data link interfaces are in different sublet, then you have to use the gateway. Otherwise you can just leave it empty and transport. We can leave Ethernet, IP or UDP.
We’re just going to leave it to Ethernet. I’m going to keep this the same. I’m not going to change this H A two Keeper lives. So I’m going to keep it as is. And click. OK, now we’ll go to firewall B and I’ll do the configuration. So under the data link I’ll say port is ethernet one, four, six and the IP address of this is one 7216, twelve, two and the subnet is two five five, sorry 255-255-2550 that’s it. So now the ha one is already configured because that’s management interface and we told what’s the peers IP address and Ha two we enabled on the interface that we have configured so now we have to configure the preemption and priority for example and that is under election settings so if you same place we go to election settings we click on the gear icon here and device priority you can see is 100 but firewall.
B I want to leave it as default that’s my default so this is what firewall B so leave it default I will enable the preemptive so preemption will be enabled and heartbeat backup this is to avoid split brain scenario that we talked about in the lesson and I’m not going to enable that. I’m going to leave it as is I don’t have a backup. So the timers we have two timers recommended an aggressive and these are going to be populated themselves. We don’t have to worry about it depending on the firewall or if we want to change it we just click on the advanced and we click on our own timers we change the timers but I’m going to keep you to recommend it so click OK, now on firewall A I will actually reduce the priority to 80 which will now this will make this firewall to become the active firewall.
Preemption is enabled and I will leave the timers to recommend it. And the next thing is, if you have a backup, for example, ha one backup, you will configure it here. If you have Ha Two backup, you will configure it here, which I don’t have it, so I’m not going to configure it. And the next thing is active passive state settings. This is what happens if you link it’s in passive state, is it shut down, which will take longer to go up there and then to take over, or maybe just disabled it’s up, but it is disabled and how long we want to wait before we actually take over. This is to prevent flapping on the firewall going up, down and so on. And I can click OK and I’ll do the same for firewall B.
So active passive settings and associated auto. Okay, the next thing I’m going to do is link and path monitoring. This is, for example, we are the active firewall. But if, for example, some interface goes down, we want to make sure that there is a failure and the passive firewall will become the new active firewall. So we can monitor, for example, our interfaces. So I’m just going to give it a name here. So link monitor and enable and failure condition. I can say any of the interfaces that I add. Anything goes down, it’s a failure or I have to wait for all interfaces to go down then it will consider as a failure. So I will add the interfaces e eleven, e one two, and e one three. So any of these interfaces goes down, you will consider it as a failure and the passive firewall will take over.
And then we can do path monitoring as well. And I can add a virtual router, for example, virtual path. So the firewall will actually ping the path and make sure it can access it. If it can’t access it, then that will be considered as a failure. So I’m going to use my router and choose a path. For example, I can ping some DNS server. So say that I’m pinging in this. For as long as I’m pinging in this, it’s considered fine. And click. Okay, we could change the pink intervals as well if you wanted. I don’t know if you saw it here. Ping interval and ping count, we can change them and just leave it as default. And I will do the same for Firewall B. So I’ll go to link and path monitoring and I monitor the links.
For example, just say link monitor. And here I’ll put the interfaces that I want to monitor. So ethernet, one, one two and one three. Any of the interfaces goes down, that’s going to be considered as failure. And we can monitor a path monitoring. So virtual wire path or VLAN path. So we’re going to say a virtual router path. And our virtual router is a VR lab VR. And I’m going to add for as long as I ping this IP address, then the path is fine. Okay, that’s all done for high availability or active passive configuration. So I just need to commit, and then we can go and check it. So commit on firewall B and then commit on firewall A, and then we go and check. Okay, commit has completed successfully on firewall A. And just checking the firewall B has been completed successfully.
We got some warning, but that’s for external dynamic list. And there’s one big warning here, no valid threat license. And that can be the problem. Remember we said that it has to match the licenses, the operating system version and so on, they all have to match. And if I go to dashboard here, look, the software version 9. 1, this has to match. So I go to the dashboard here and I see software version 9. 1 that matches. Yes, that matches. Now it says the license, virtual machine license none. And they say here, virtual machine license VM 50. And that’s going to be a problem. So these two, they’re not going to create High Availability pair because the license is different.
So they have an antivirus version, wildfire version here, they’re going to be different, right? So to check it anyway, we have to go to the dashboard, which we are here, and we have to add the widget of the High Availability and that’s located on the system and then High Availability. So as you can see now we have red, which is no good, green is okay, and orange, which is passive, but we don’t have anything. Okay, so what we can see here, the High Availability control link, it’s okay, it’s up and the data link is up. So it’s working. And the VM service is matching. But the problem that we have is the non functional VM license mismatch with a peer. So for example, here the licenses are not matching between the Firewall A and Firewall B because the Firewall B is not licensed.
I just use it for testing. It’s not licensed. So that’s why we don’t have a peer. But you can see the peers IP address and it’s working. They’re communicating with each other. But the only problem is that we don’t have the license. We can have a look at the system logs. So if you want to see what information we have, for example, go to monitor. And then under logs we have a system log. So anything that well, let me get rid of this VPN information. What we want to see actually we want to see the High Availability stuff. So I can click on this High Availability and that will give it as a filter and apply that filter and I just see the High Availability stuff.
So VPN client software now matches. Client software version does not match. Global protect threat content version does not match. We have some problems here, that’s why it’s not working. But ha, one link, peer link is up. Ha two peer link is up. So these are working. What is telling me that actually they are communicating, but the only problem is that we don’t have the license. So peer device VM license, no matching, going to non functional state. So it’s not actually working. Okay, so if you remember, the state was non functional. When there’s error, they’re suspended. If you switch it off for some reason, for testing or something, we have active passive and in it or initializing.