Ahmet Numan Aytemiz , 10.03.2021

  • Configure Active Passive HA According to Topology

  • Make sure PaloAlto1 is active firewall and paloalto2 is passive firewall

  • I already preconfigured on PaloAlto1
    • Managment IP address
    • Zones
    • Interface
    • Virtual Router and Default Route
    • Licensed
    • Security Rule and Source NAT
  • I already preconfigure on PaloAlto2
    • Managment IP address
    • Licensed
    • There are no any other configuration on the PaloAlto2

topology

PaloAlto1 Configuration

  • On the Palo Alto1 Configure Ethernet 1/3 and Ethernet 1/4 as a HA Link
    • Network > Interfaces > Ethernet > Ethernet 1/3

topology

  • Network > Interfaces > Ethernet > Ethernet 1/4

topology

  • On the PaloAlto1 enable HA, configure goup id , select ha mode, enable config sync , and configure the peer ip address
    • Device > High Availability > General > Setup

topology

  • On the PaloAlto1 configure ethernet 1/4 as a control link and assign ip address/netmask
    • Device > High Availablity > General > Control Link (HA1)

topology

  • On the PaloAlto1 configure ethernet 1/3 as a data link and assign ip address/netmask and enable session sync
    • Device > High Availablity > General > Data Link (HA2)

topology

  • On the PaloAlto1 configure device priority 99 and preemption enable
    • Device > High Availablity > General > Election Settings

topology

and finally commit

PaloAlto2 Configuration

  • On the Palo Alto2 Configure Ethernet 1/3 and Ethernet 1/4 as a HA Link
    • Network > Interfaces > Ethernet > Ethernet 1/3
    • Network > Interfaces > Ethernet > Ethernet 1/4

topology

  • On the PaloAlto2 enable HA, configure goup id , select ha mode, enable config sync , and configure the peer ip address
    • Device > High Availability > General > Setup

topology

  • On the PaloAlto2 configure ethernet 1/4 as a control link and assign ip address/netmask
    • Device > High Availablity > General > Control Link (HA1)

topology

  • On the PaloAlto2 configure ethernet 1/3 as a data link and assign ip address/netmask and enable session sync
    • Device > High Availablity > General > Data Link (HA2)

topology

  • I will leave as default election setting because of device priotiy is 100, and i want to make second device as a passive firewall, and i will not configure this device as a preemptive
    • Device > High Availablity > General > Election Settings

topology

finally commit

Monitor HA Status

  • On the PaloAlto1 Dashboard > High Availability

topology

Verify Zones, Interface Config and Security Rules on the PaloAlto2

  • Zones : Network » Zones

topology

  • Interfaces : Network > Interfaces

topology

  • Security Rules: Polices > Security

topology

Manuel Failover Active Firewall

  • On the PaloAlto1 suspend this device to trigger ha failover
    • Device > High Availability > Operational Commands > Suspend local device

topology

  • On the PaloAlto2 Verify local device is active and peer suspended

topology

  • Dont forget the make functional PaloAlto1

topology