Palo Alto - Active Passive High Availability, Configuring Path Monitoring

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
path monitoring is an optional High availability feature and it lets me configure my ha pair so that if the active firewall can't reach certain hosts outside the network then it will fail over to my passive device so for example I can configure the active firewall to check the IP address of this router at 203.0.113.1 then check the IP address of this host 4.2.2.2 and the IP address of this host 9.9.9.9 as long as those addresses respond to the firewall's Ping request this firewall will stay in active mode now there are two ways that I can configure path monitoring any path failure is the first way and in this configuration if any hosts that the active firewall is checking fails to respond then that will trigger a failover the second way that I can configure path monitoring is for all paths to fail so in this configuration all of the hosts that the firewall is checking have to stop responding before the active firewall fails and the passive firewall takes over now I can configure the firewall to perform checks either way any or all but not both now I'll use the addresses in this illustration to configure path monitoring so to configure path monitoring we go to device High availability and under the tab for link and path monitoring down here towards the bottom I'll create an entry under the path group and because I'm running this firewall in layer 3 mode I'll use this button here if I'm running the firewall in Virtual wire mode I would add a path using this add virtual wire path if I'm running the firewall in VLAN mode then I would use this button we talk about the networking configuration options for firewalls in another part of this course so I'll click add Virtual Router path I'll choose the Virtual Router that I have in place on this firewall I could have multiple virtual routers but in this example I only have a single one for failure condition I'll leave this set to any I want the Box checked for enable then I'll add the first IP address to this list here click add again at the second address and then the third address down here at the bottom I can specify the interval between pings in milliseconds and I can set the number of consecutive pings that the firewall has to receive from each Target IP in order to consider that address to be reachable I'm going to leave these set to the defaults and click ok so I have my path group set up using the any failure condition which means that if any of these three addresses fail to respond that will trigger a failover to the passive device the settings appear for path monitoring if I have multiple paths for example if I have multiple virtual routers on this firewall I could set up different sets of addresses to check through different virtual routers in those situations I could have this set to either on any condition meaning any of my path groups could fail or all of my path groups have to fail to trigger failover for path monitoring again it doesn't matter in my example because I only have a single path group so the condition of any or all would make no difference in this right now this path group is set up with the any failure condition in other words if any of these hosts stop responding to the active firewalls checks then the active firewall will fail and the passive firewall will take over if I want to I can change the failure condition from any to all and what this means is that all three of these addresses have to stop responding to the checks from the active firewall before it fails and allows the passive device to take over so that's how you configure path monitoring
Info
Channel: Technical Security
Views: 2,896
Rating: undefined out of 5
Keywords: Kali linux, Firewall, Network Security, Cyber Security, End point Security, Pentesting, Web Application Security, Network, Bug Bounty POC, Bug Crowrd, Hackerone, Hacker1, TryHackMe, Palo Alto - Active Passive High Availability, Configuring Path Monitoring, Active Passive High Availability environment, Palo Alto Networks Firewall, Active Passive High Availability, Configuring HA
Id: OoI9Aw3wZGs
Channel Id: undefined
Length: 5min 6sec (306 seconds)
Published: Tue Sep 27 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.