Palo Alto Firewall: Supercharge Ha Configuration For Active-passive High Availability!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

configuring ha is done under device High availability and I need to do this on both firewalls separately the active and the passive I'll need to make the changes to just about all of the settings under this section and I edit each one of these items by clicking the gear icon in the upper right hand corner right now I'm on the active firewall and I'll start with the setup section first I'll check the box to enable ha now the group ID is a unique identifier that needs to be the same on both firewalls and this number is advertised in the messages sent out by each firewall for ha and if the firewalls have the same group ID each firewall knows who its partner is so I'm going to use 25. I'll put in a description and for mode I'll leave this set to active passive we do support active active but that discussion is way outside the scope of this course I'll leave the config sync checked this means that the active firewall will automatically synchronize its configuration with the passive device so if I create a new security rule or a new address object on the active device those changes will automatically get pushed to the passive firewall and I don't have to repeat the configuration steps now for the pier ha1 address I'm going to put in 1.1.1.2 and for the peer backup IP address I'll put in 2.2.2.2 now those addresses belong on the passive firewall and based on my network diagram those are these addresses here those addresses belong in the backup firewall so I'm telling the active firewall what these addresses should be on its passive partner for both ha1 and the ha1 backup connection so I'll click OK and we're back to the configuration screen I'm still on the active device and next I'll configure my ha1 link on the active firewall by editing this section for Port I'll choose ethernet one slash four and this is where I Supply the IP address of this firewall for that ha1 connection this will be 1.1.1.1 with a 24-bit mask I don't need a Gateway because these devices are going to be on the same network and I'm not going to enable encryption for this demo I could encrypt the communication across this connection between the firewalls if I need to for regulatory or security concerns I'm going to keep it simple and leave it unencrypted I'll also leave the monitor hold down set to the default three seconds and this value has to do with link or path monitoring and we talk about that in another section of the course and so the default values are fine I'll click ok and now I'll move on to the section for the ha1 backup connection on the active firewall I'll edit this connection and in my example I'll set this to ethernet one slash five and I'll put in the IP address for my active device for the backup ha1 connection which will be 2.2.2.1 with a mask of 255-255-2550 again I don't need a default gateway for this particular Network because both the active and the passive device are on the same network I click ok move on to datalink ha2 put a check box here to enable session synchronization so I will synchronize the session table from the active to the passive device for Port I'll choose ethernet one slash six based on my lab architecture and I don't need to supply an IP address for this connection I'll leave it set to the default transport of ethernet click ok and move on to the configuration of the backup ha2 connection again based on my lab architecture I'll use ethernet one slash seven and I don't need to specify IP addresses or masks for this connection click ok and I'll commit my changes on the active device for the time being we're not quite done on the active device but I want to make these same settings on the passive device then we'll come back and finish the configuration on the active device so I'll go over to the passive device go to device High availability and I'll start with the setup enable ha and because I set the group ID on the active device to 25 I also need to set it to 25 on the passive device put a description in leave the mode set to active passive I am going to enable configuration sync that's checked on the active firewall so I'll leave it checked here for peer ha1 address I'm going to put in the IP addresses of the active device for the ha1 and the backup ha1 based on our lab architecture those represent these two addresses I'm configuring the passive firewall and I'm telling it about the IP address on the active firewall for ha1 and ha1 backup click ok and move on to configuring the ha1 control connection for the passive device edit this section change the interface to ethernet 1 4. enter the IP address of the passive firewall for this connection which based on my lab example is donated a Gateway not going to encrypt this and the monitor hold down is fine at three seconds click ok the next section is the ha1 backup in case I lose this connection to the primary device in my example I'll use ethernet one five put in the IP address of the passive device for this connection and I don't need a Gateway so I'll leave that blank data link ha2 I'll edit that connection enable session sync choose the appropriate interface 1 6 based on my network leave the remaining settings unchanged like I did on the active device and click ok lastly I'll configure the h82 backup in case I lose this connection to the active firewall set the port for this one to ethernet one seven click OK and commit the changes on the passive device again got a little bit more configuration to do but we'll go to the active box first and then come back here now I'm back on the active firewall based on my description you can see exactly where I am and I need to configure the election settings so I'll edit this area and for device priority I'm going to set this to 10 on the active device when I set this up on the passive firewall I'll set this exact same value on the passive firewall to 20. it actually just needs to be higher than the value on the active device because when the devices communicate with one another each one will advertise its priority and whichever device has the lowest priority will be the active device and this is my active device so I want to set it to a lower priority I'll check the preemptive box so that this firewall will always take over and become active since it has the lower priority I'll check the heartbeat backup box which lets the firewall send heartbeats and hellos to each other over the management network if they lose their ha1 connection and I'll leave the h a timer set to the defaults I'll click OK and commit the changes on the active firewall now I'll go back over to the passive firewall and we'll finish the setup I'll edit the election settings and I'll set the priority on the passive firewall to 20. remember I set this to 10 on the active firewall whichever device has the lower priority will be active because I checked preemptive on the active device I'll check it here I'll also check the heartbeat backup and I'll leave the ha timer set to recommend it click ok and on the passive device I'm going to edit this setting here for active passive settings I'll change the passive link state from shutdown to auto this setting essentially lets the passive firewall bring its interfaces online and keep them up instead of leaving them in shutdown State and bringing them up only when it detects the active device going down so this can speed up the failover process I'll click OK and then commit my changes on the passive firewall so that's how you configure ha between two firewalls for active and passive now briefly I'll show you how you can verify the status you can add the high availability widget to the dashboard by going to widgets system high availability and you can see that the pair is an active passive mode this is the local device in other words the device I'm currently looking at and it's in active mode its peer is in passive mode the configuration has not been synchronized yet but I can do that by clicking this link here to synchronize to the peer and I'll click yes simply telling me that I'm going to overwrite the configuration on the pier with the configuration from the active device so yes I do want to do that now while that's going on we can see that also the firewalls both are running the same application version threats antivirus the operating system the only thing that's down is the link for ha1 backup and that's simply because I haven't got it set up yet if we look at the passive firewall we have the same kind of information except that it's reversed I am locally looking at this firewall and it is in passive mode while it's Pier is in active mode the configuration synchronization is still in progress so having this little widget on the dashboard for both the active and the passive firewalls lets me verify that ha is set up and functioning

Info

Channel: Technical Security

Views: 13,942

Rating: undefined out of 5

Keywords: Kali linux, Firewall, Network Security, Cyber Security, End point Security, Pentesting, Web Application Security, Network, Bug Bounty POC, Bug Crowrd, Hackerone, Hacker1, TryHackMe, Active Passive High Availability, Configuring HA, Palo Alto Networks Firewall, Active Passive High Availability environment

Id: PCPKcYQMX5A

Channel Id: undefined

Length: 12min 17sec (737 seconds)

Published: Tue Sep 27 2022