Palo Alto Firewall Training | HA

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

can you think of a time when you've had a hardware or link failure in your network if you didn't have high availability the result may have been catastrophic this carries extra importance for firewalls as that's often where connections to the Internet and way links Lee we're now going to see how high availability works on Palo Alto firewalls and how it's completed when it comes to high availability Palo Alto firewalls use the same two options as everyone else option one is active passive where one firewall is in a passive State waiting to take over if there's a failure option two is active active we're both firewalls actively pass traffic active-passive is the simplest type of AJ to deploy in this model one firewall is analyzing and passing the traffic learning routes from routing protocols maintaining information about sessions and so on the second firewall is turned on and physically connected to the network but it does not do much that's why it's called a passive firewall it's just waiting until as needed it will synchronize information from the active firewall such as firewall configuration session information and things like this if the active firewall fails the passive firewall is there to take over the alternative option active-active has both firewalls processing traffic at the same time that is they share the load if one of these firewalls fails then the other one takes on the extra traffic keep in mind that a single firewall needs to be powerful enough to take on all the traffic if a failure like this happens active active is a bit more complicated to set up as you need to think about how traffic is distributed between the pair and how NAT pools are managed on each device we'll talk a little more about this and other active active considerations at the end of the video iha models each firewall has a priority in active/passive this priority decides which firewall is active inactive active the priority decides which firewall is the active primary firewall priority comes into play if preemption is enabled which we'll see a little bit later this is also important when a failed firewall has been repaired and added back into the pair when configuring an each a pair it is mandatory to configure a few special links between the two firewalls most palo alto firewalls come with dedicated ports for this in this model we have the dedicated a j1 and AJ two ports ha1 is called the control link exchanges control plane type traffic between the two firewalls this includes heartbeat messages AJ state information routing table synchronization and user ID AJ - is the datalink as it's used for sharing data plane type traffic this includes synchronizing sessions forwarding tables IPSec tunnel information and ARP information not all models have the exact same ports though model shown here has a j1 a and a j1 B which are the primary and backup control links instead of a port named ha2 it has an HSC I port this is a high-speed datalink some of the bigger firewalls have an additional aux port on the other end of the scale we have smaller firewalls which do not have any ports dedicated to a che we still have options though in a case like this we would configure some of the regular ports for a che these are inbound ports we can even use the mangement port for the control link if we wanted even on the bigger models we can still use invent ports think of this one again which only has one HSC iPod for the data link in this case we can configure an inbound port as a backup data link in fact this is highly recommended and we'll see how this is configured in a few moments time when we're talking active active we also need to configure an additional link called ha3 this is a packet forwarding link this is used when setting up sessions and passing transit traffic from one firewall to another this link is entirely layered - and uses Mac in Mac encapsulation you'll probably have noticed that there are no dedicated ports of this so we would need to configure an inbound port eh-eh links can be run through external switches if you want them to the control links can be routed with traffic passing through multiple subnets but where you can it's recommended to connect the firewalls directly together I'll include a link to some best practices in the description if you want some extra reading so obviously the point of hae is to protect against failures roughly speaking we can group failures into three categories the first is a firewall failure where one of the firewall stops working for some reason the second is uplink failure where a link connected to the firewall goes down the third is path failure where something upstream of the firewall fails of course there is a scenario which we're not talking about here which is when an administrator manually causes a failover perhaps to install an update we look at that in the next video during regular operations the firewall pair send each other regular heartbeat messages across the control link this is just a simple ICMP ping by default these are sent out once per second and if three nirodh do not arrive then the partner is assumed to be lost we can change the heartbeat timer using timer profiles which we'll see briefly in a moment the recommended profile is the default but there is also aggressive or we can create our own some high-end firewalls perform internal health checks this is not something we can configure it just happens on its own if a health check fails this will also mean the firewall has failed and trigger a failover a plane failure occurs when a link directly connected to the firewall fails the firewall itself is fine though and we're not talking about RHA links here we're thinking about links to switches or routers even though the firewall is still alive it won't be able to forward traffic so we configure the firewalls to watch the state of individual links or groups of links and if enough of them fail this can't rear a failover third consideration is path monitoring this is where something that is not directly connected to the firewall fails this might not sound so bad but if it's a critical upstream router that it can still break our network depending on the way the network was designed we may want this to cause a failover so as to take an alternate path we can do this by configuring path monitoring which uses something like pin to see if a device on the network is up and if it's not the firewall can take action let's see how this is configured to give you a bit of background I'm configuring to parlor while 232 60s so far I've set a management IP on each but other than that I have made no changes to the config the ha1 a and H a 1 B ports are directly connected with cat 6 cables the HSC I interface is also directly connected with a 10 gig 2 annexed DAC cable there's no dedicated backup for the data link so I've also cabled up the ethernet 1/20 ports we are now going to configure active-passive H a firstly we'll check if ping is enabled on the management interface this is not the most important thing for us in this specific case but if you have a smaller model you might be using these interfaces as your control link and you'll remember that ping is used for heartbeats so we need to make sure this is allowed in any case for us it's enabled out of the box next we're going to select our h8 ports this model already has three of our needed ports so we don't need to do anything special for them we do want a thern at 1/20 to be a backup data link though so we need to configure that keep in mind that a backup link is optional under the network tab we go to interfaces if you look closely the interface icon for Ethernet 120 is slightly different to the rest when we open the interface we change the type to H a and optionally add a comment time for the real AJ config this is in the device tab under high availability in the setup area we add a group ID this needs to match on both our firewalls this is also where we select whether we want active passive or active active will obviously leave ours as active passive we'll come back to the rest of these options later next up is the control link that's the ha1 interfaces which are configured in the sections over on the right in port we select the physical interface that we want to use as the primary control link for us that's ha1 a this operates at layer 3 so we also need IP addressing I'm using 169 254 1 1 as this is a subnet that should never be routable anywhere on my network that makes it a good choice for this out-of-band subnet notice that we include a default gateway we would use this if we have our firewalls in different subnets as I just mentioned our two firewalls are in a non-routable subnet so we can leave this blank for this example another option is encryption I'm not going to worry about that in my case as these firewalls are directly connected and they are in a secure server room so there's really no risk of anyone seeing this traffic it's the same procedure for the backup control link just use the ha1 B interface also assigned a different subnet to the backup link the primary and backup cannot overlap now for the datalink which is using the HS CI port notice that there are options for transport we're going to use Ethernet as our firewalls are directly connected however if we connected them through external switches we would need to change this to TCP or UDP and set an IP address we also want to make sure session synchronization is enabled if it isn't and there's a fail over the new active router we'll need to build all those sessions again which would be disruptive to the flow of traffic and finally let's enable keep our lives over ha2 this sends additional keepalive messages between the two firewalls this is an addition to the heartbeats we talked about earlier if the keeper lives go missing then the firewalls know there's a problem this would be particularly useful if we're running these links through external switches and there's an off stream failure that the firewall wouldn't normally detect and of course we're configuring the backup ha2 link using the ethernet 120 interface that we prepared earlier in election settings we should enable heartbeat backup we do this because we're using dedicated AJ interfaces if we were using the management port as our control link we wouldn't need to do this so what is it heartbeat backup prevents a split brain scenario imagine if AJ one went down for any reason in this case heartbeats would go missing and both firewalls would think that the other has failed they would then both try to become active the backup heartbeats use another path so the firewalls are able to see if the other firewall is really down we can also set the device priority here if we want to this is optional but it helps us to know which firewall is active under normal circumstances the lower the value the more preferred that firewall is if both values are the same as they are by default then the lowest Mac on ha1 is used to break the tie I like to enable preemption this means that if we replace a failed firewall and the replacement has a better priority it will automatically become active here is where you can change the timers that I spoke about earlier I was just leaving them as recommended unless you really have a need to change them by default a passive device will keep its interfaces in a disabled state until it transitions to active - Auto means that the interfaces on the passive unit will always stay up this is a step toward faster failover but it might make troubleshooting more difficult even if we do this the passive unit will not forward any traffic through these interfaces so make sure that any switches or firewalls connected to these interfaces are not trying to forward traffic through here based on link status if you find that you are inexplicably dropping traffic maybe come back here and check this setting if you do set this to auto you can also enable LACP and lldp pre-negotiation this is the next step to fast failover if you're just not sure we'll leave it a shutdown well that's our prerequisites done so we can finally enable AJ this is in the same section that we saw earlier make sure enable config sync is turned on if it's not the config will not be replicated from the active to passive we need to enter the IPS of the peer device here and finally we're committing our changes the second unit needs to be configured - but as it's more or less the exact same as this one I'll save your time and pause the video while I do that the second unit is now done if we go to the dashboard we will be able to find a widget for high availability in this widget we can force a sink of a che information to the Pierre device notice that the status of the device is active and the config has been synchronized if you're interested in active active stick around we've got a few brief concepts to cover in the active active model both firewalls need to forward traffic at the same time this comes with some extra considerations when a session is created which fire will loans it his traffic split across the two firewalls he's an evenly shared orders one take a larger load how do you direct traffic to the right firewall and what happens if traffic arrives at the wrong firewall when new traffic reaches the firewall the firewall sets up a session this is where the firewall starts collecting information about the flow of traffic so it can track it this is not specific to AJ at this point even a standalone firewall will do this when you have two active active firewalls one firewall will become the session owner under normal circumstances this firewall will handle all traffic for the session if it fails the other firewall can take over as the session owner in general the firewall that receives the first packet in airflow will become the session owner for that flow however there are times when we might want to change that for example we might want the active primary firewall to handle all traffic for the purposes of packet capturing or some other troubleshooting we might also decide to use another method to determine which firewall becomes the owner the two other options are IP hash which uses a hash of the source and destination IPS to allocate sessions to the firewalls or IP modulo which uses the parity of the source IP the firewall that receives the first packet is often the best choice but if we do that how can we split the traffic somewhat evenly across the firewalls that is how do we prevent all traffic arriving at a single firewall and that firewall becoming the owner of all traffic there are a few ways this can be done one option is to use layer 3 routing where the upstream routers decide which firewall a packet should be delivered to or maybe a layer 2 floating IP address with upload sharing would be better this is a bit like vrrp a third option might be to use an external hardware load balancer the option you choose has to be the right one for your network but let's consider this scenario a packet arrives at one firewall and this firewall sets up a session and becomes a session owner for some reason the next packet in the flow arrives on the other firewall what happens now in this case the packet needs to be passed on to the correct file that's what the ha3 link is useful that's also why the ha3 link is only needed for active active h:a once the packet is passed to the correct firewall it is processed as normal we've seen the two types of high availability on palo alto firewalls hang around for the next video where we will see how to update these firewalls that have been configured as an H AP

Info

Channel: Network Direction

Views: 11,492

Rating: undefined out of 5

Keywords: Network direction, Palo alto, High availability, Ha, Active, Passive, Control link, Data link, Nat, Session, Preemption, Ha1, Ha2, Ha3, Hsci, Packet forwarding link, Health check, Path monitoring, Session synchronization, Backup ha2, Election settings, Heartbeat backup, Pre-negotiation, Config sync, Sync to peer

Id: 3KyVWHuii0o

Channel Id: undefined

Length: 18min 13sec (1093 seconds)

Published: Tue May 26 2020