Active/Passive Palo Alto Deployment in Azure: Step by Step guide Part -2
HTML-код
- Опубликовано: 15 ноя 2024
- This explains what configurations are needed on the azure side to have reliable setup. Also demonstrate issues with HA and details troubleshooting using logs.
really good stuff. helped me to clear some point on PA ha active/active cluster on Azure
Great work!
Awesome explanation!!! and exactly what I was looking for. @Patel&Patel, in our environment we have palos deployed as Active/Passive and are being used for customer site to site IPSEC VPN tunnels. Is there as way we can monitor the failover of firewalls and attachment & de-attachment of floating IP so that we can get notified in the scenario when floating Ip is stuck on secondary firewall (passive one) and primary firewalls became active? How can we monitor this and prevent from all VPNs going down using Splunk synthetics or Solarwinds?
Thanks, you can use Palo alert SMTP for email when HA is triggered. Solarwinds can monitor everything you need using SNMP.
Great explanation. Thank you. Can we push the interface and HA ip configuration from Azure to VM firewalls? I see you have created the interfaces again on local Palo VM. It's time consuming process if we need to follow the same procedure if we have multiple interfaces on every firewall in prod. I'm just looking for options. Thank you.
Hi
Great presentation 👍
One question: is it possible to do the whole firewall configuration (update, interface, zone creation) from Panorama directly? If so what is the process? Should we create Device Group, Template, ... first in Panorama? And migrate the firewall to Panorama one by one?
Or should we attach the FW after the configuration?
2nd question 😀 : In Palo Alto documentation, the activation of 'IP forwarding' on untrust & trust interfaces are not indicated. Is it forgotten by PaloAlto?
Sure you can do implement the firewalls and import to Panorama, and push the config that way. It should be standard process to manage HA pair through panorama. Google it, it should come on top.
For IP Forwarding Not sure what palo had in mind but I have seen somewhere and I do not remember my reference.
You are the best!!! Thank you! So How do I handle Inbound rules to the FWs and also S2S VPN setup. What public IP to use? Will I make use of Azure Load balancers at anything in this setup? Please shed more light thank you!
You can configure loadbalancer in front as well as back. You need to use route table. For inbound same you can attach more ip to firewall interface or use public loadbalancer to forward to untrust interface. From there you can NAT the traffic.
@@patelpatel5829 OK Thank you for this, very insightful. For the inbound, can I just attach a public IP to the untrust floating IP (VIP) ? that is if I dont want to use Azure Load Balancer external?
@@ajibolayusuf2057 Yes, all the ip floats to passive firewall in case of failure.
You know you did not configure the HA in the first video right?
Please help us with the detailed video on attaching public load balancer for inbound and outbound nat. Customer wants to do nat on firewall instead of load balancer
Page 46, implementation guide. www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/guides/azure-architecture-guide
Please comment what you want to learn on Palo firewalls!
Just so I am clear, the GitHub script didn’t give you a FW with licenses so you built the second firewall manually like you did the first one?
Umm.. Yes.
I meant was - when we deploy from Github PAVM expect to be BYOL model, where you purchase auth-code from palo alto and register/activate the firewall. This option is not good for me as I am just building demo lab and purchasing would cost more money and time.
When we deploy from marketplace we can choose PAYG license which comes with pre-activated firewall with licenses.
@@patelpatel5829 we deployed active firewall from market place with PAYG bundel 1 licesne & passive firewall from Github. but the passive firewall deployed was BYOL model. is it ok to use active as PAYG bundel 1 licesne & passive as BYOL licesne ? or how to licesne passive with PAYG bundel 1 ?
@@rockleefiltu no, you need same licenses on both.
hello, dont we need an external load balancer for GlobalProtect?
The command line view is completely unreadable. Is the log you are running a tail on plugin_api_server.log ?
I have configured fortigate ha via loadbalancer in azure but problem we are facing is when failover occurs firewall ip address don't change so all traffic towards wan interface for ssl vpn is not working
Shouldn't we use Azure load balancer to achieve high availability with palo virtual a[pliances?
Depends on usecase and requirements.
We have deployed with 10.1.0 and had an issue in HA during the setup on service principal. Can you share what was the bug you got hit when deploying 10.1.0
I do not have Bug ID, but I had 2 i consistent behaviors in 10.1.0, 10.1.1, and 10.1.2.
I one I was not able to make HA work. It would only move one vip and not other or it would just keep trying failover and never happen. And in second instance everything working fine but I could not join them to panorama. Panorama never showed connected until I downgraded to 10.0.6.
Could you please create a video for specific access for PAVM as per PaloAlto documentation instead giving contributor access.
You can copy and paste access XML to azure and you should have all the access needed.
Hello
I have deployed the secondary firewall in a new temp Vnet in same subscription and move the resources to same resource group as the primary paloalto but the issue is still the Secondary PA interface in new temp Vnet and I cannot able to attach the HA interface, Please let me know the procedure to move the secondary PA to primary PA vnet
Azure does not have native support to move VM from vnet-to-vnet. Save disk and redeploy but hey, even how hard is it to redeploy new and shiny??
The floating IP taking some time about 4-8minutes to change from primary to secondary in Azure portal, wht might be the cause of delay
AZURE API calls and reconfiguration.