Palo Alto Lesson: 12.5 Lab: Active-Passive High Availability

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and thank you for watching my video my name is astrid krasnichi i am cisco ccna ccnp and palo alto certified instructor in this video we are covering pcnsa 210 and this is our chapter 12 high availability or ha for short now this is the fifth video of chapter 12 which is 12.5 our lab about active passive high availability configuration what we're going to do in this lab we're going to configure a dedicated high availability interface which we're going to you be using it for as a data link and we're going to configure active passive high availability and then we look at the dashboard we look at we add the widget first and then we look at high availability configuration is it working or not we observe the behavior in there so this is the lab topology that i will be using to demonstrate high availability for you and i will have access to two firewalls i have a firewall a here and a firewall b and i will access firewall a from this management interface 192.168.1.254 ip address and we're going to be using that as a ha1 or control link our management interface firewall b is 192.168.1.253 again that will be used as hj1 or control link then i will create a dedicated high availability interface and that will be used as ha2 and the dedicated interface will be e146 that will be used as ha2 or data link we'll give it an ip address so one seven two sixteen twelve dot one will be for fireball a and one nine two one sorry one seven two sixteen twelve dot two for firewall b our firewall a will be the active firewall because we get the priority to 80 and we'll enable the preemption so the firewall b will have a default priority 100 and the preemption will be enabled as well okay so there's quite a few things to do so let me go to the firewalls both of the firewalls and show you so this is my firewall a so i have access to 192.168.1.254 and then there we have a firewall b 192.168.1.253 same as what we have here okay so first thing that we need to configure is the enable an interface for high availability which will be used as a data link interface or ha2 so for firewall a i'll go to network and then interfaces and i'll choose one six and in here i'll just put as a type ha2 so interface type h2 nothing else i can configure comment well in production you put a comment in there but that's it i don't need to give an ip address or anything just click ok here and then i'll do the same for firewall b so i'll go to firewall b network and then interface one six and i'll enable that as a not tap interface ha2 or just hey sorry that's it interface type h a and click ok so i got firewall b has got interface 1 6 as a ha and the firewall a has got same 1 6 h a interface and this is again if you look that will be ha2 data link we'll use it for data link okay the next thing we need to do is we need to actually enable the high availability and to do that we need to go to device and then go to the second entry will be is a high availability and in the general tab i have to go to setup and i enable it here so by default it's not enabled you see enable hj so i'll take that and group you can see that from 1 to 63 the group has to be the same so we have to we can choose the same group anything else put here so one two as parallel one and two description will put whatever you want but i'm just gonna say active uh passive ha and you can see the modes we can have active passive that's what we're going to be using or we can have active active mode now i'm going to choose active passive leave to active active for future lessons more advanced palo alto lessons and we're going to enable configuration synchronization and then we need to tell the pier ha1 ip address so what it's looking for now is you see hj1 is control link the prip address which is this one here 192.168.1.253 so here i need to put 192. 168.1.253 i'm not gonna have any it does appear or our neighbor doesn't have a backup here one so i'm gonna leave that to play to empty click okay and i'll do the same for firewall b so i'll go to firewall b and go to device and then high availability general i will enable it there so enable the group same um leave the description you can put whatever you want active and passive and the peer he one ip address now he's looking for this ip address so firewall b the peers firewall a with that type address so 192. sorry yeah 192. 168.1.254 is the ip address and click ok now the the high availability is enabled and we just need to configure like other stuff like other settings for example data link and control link well the next step is the control thing controlling or hey j1 we can configure the control links to be if it's dedicated we'll put it here or if it's a some interface we have to enable it but by default we're going to be using our management port which is already here configured so we don't need to really change anything an encryption i'm not going to enable it and monitor whole time i'll leave it to default now i'll do the same well i don't i'm not doing anything i'm just verifying yeah so firewall a now same it's a management interface that's going to be the my that's going to be the control link ha1 is a management interface and for ha2 as you can see aj2 data link is the interface e146 and that's the ip address so on firewall a you can see data link ha2 i'll configure that i will enable the session synchronization and the port is the one that i created one forward six that's my ha2 and the ip address for this is going to be 172 16 12.1 and i'm picking this just from same network any private address where you can really pick your own ones it doesn't have to be what i'm trying to say that it doesn't have to be this address you will use a gateway if the data link interfaces are in different subnet then you have to use the gateway otherwise you can just leave it empty and transport we can leave ethernet ip or udp we're just going to leave it to ethernet i'm going to keep this the same i'm not going to change this aj2 keeper lives so i'm going to keep it as is and click ok now we'll go to firewall b and i'll do the configuration so under the data link i'll say the port is ethernet146 and the ip address of this is 172 16 12.2 and the subnet is two five five sorry two five five two five five two five five dot zero that's it so now the ha1 is already configured because that's management interface and we told what's the peers ip address and ha2 we enabled on the interface that we have configured so now we have to configure the the preemption and for priority for example and that is under election settings so if you same place we go to election settings we click on the gear icon here and device priority you can see it is 100. but firewall b i want to leave it as default that's my default so this is what firewall b so leave it default i will enable the preemptive so preemption will be enabled and heartbeat backup this is to avoid split split brain scenario that we talked about in the lesson and i'm not going to enable that i'm going to leave it as is i don't have a backup so the timers we have two timers recommended and aggressive and these are going to be populated themselves we don't have to worry about it depending on the firewall or if we want to change it we just click on advanced and we click on our own timers we change the timers but i'm going to keep it to recommend it so click ok now on firewall a i will actually reduce the priority to 80 which will now this will make this firewall to become the active variable preemption is enabled and i will leave the timers to recommend it and the next thing is if you have a backup for example ha1 backup you will configure it here if you have h2h82 backup you will configure here which i don't have it so i'm not going to configure it and the next thing is active passive state settings this is what happens if you link is in passive state is it is it shutdown which will take longer to be to go up there and then to take over or maybe just disabled it's up but it is disabled and how long we want to wait before we actually take over um this is to prevent you know flapping of the on the firewall going up down and so on and i can click ok and i'll do the same for firewall b so active passive settings and associated auto okay the next thing i'm going to do is a link and path monitoring this is for example we are we are the active firewall but if for example some interface goes down we want to make sure that there is a failure and the passive firewall will become the new active firewall so we can monitor for example our interfaces so i'm just going to give a name here so link monitor and enable and fail a condition i can say any of the interfaces i add anything goes down it's a failure or i have to wait for all interfaces to go down then it will consider as failure so i will add the interfaces e11 e12 and e13 so any of these interfaces goes down it will consider it as a failure and the passive firewall will take over and then we can do path monitoring as well and i can add a virtual router for example virtual path so router the firewall will actually ping the path and make sure this it can access it if you can't access it then that will be considered as a failure so i'm going to use my router and choose a path for example i can ping some dns server so say dumping in this for as long as i'm picking this that is considered fine and click okay we could change the pink intervals as well if you wanted i don't know if you saw it here ping interval and pin count we can change them i just leave it as default and i will do the same for firewall b so i'll go to link in path monitoring and i monitor the links for example just say link monitor and here i'll pull the interfaces that i want to monitor so ethernet one one one two and one three any of the interfaces goes down that's gonna be considered as failure and we can monitor a path monitoring so virtual wire path or vlan path so we're going to say a virtual router path and our virtual router is a vr latvia and i'm going to add for as long as i ping this ip address then the path is fine okay that's all done for high availability or active passive configuration so i'm just need to commit and then we can go and check it so commit on firewall b and then commit on firewall a and then we go and check okay commit has completed successfully on firewall a and just checking the firewall b has been completed successfully we got some warning but that's for external dynamic list and there's a one big big warning here no valid threat license and that can be the problem remember we said that it has to match the licenses the operating system version and so on they all have to match and if we go if i go to dashboard here look the software version 9.01 this has to match so i go to the dashboard here and i see software version 9.01 that matches yes that matches um now it says the license virtual machine license none and you say here virtual machine license vm 50. and that's going to be a problem so these two they're not going to create high availability pair because the license is different so they have an antivirus version wildfire version here they're going to be different right so to check it anyway we have to go to the dashboard which we are here and we have to add the widget of the high availability and that's located under system and then high availability so as you can see now we have a red which is no good green is okay and orange which is passive but we don't have anything okay so what we can see here the high availability the control link it's okay it's up and the data link is up so it's working and the vm service is matching but the problem what we have is the non-functional vm license mismatch with appear so for example here the licenses are not matching between the firewall a and firewall b because the firewall b is not licensed you know i'll just use it for testing it's not licensed so that's why we don't have appear but you can see the psip address and it's working they're communicating with each other but the only problem is that we don't have the license we can have a look at the system log so if i if we want to see what information we have for example go to monitor and then under logs we have a system block so anything that well let me get rid of this vpn information what we want to see actually we want to see the high availability stuff so i can click on this high availability and that will give it as a filter and apply that filter and i'll just see the high availability of stuff so vpn client software uh now matches client software version does not match global protect threat content version does not match um we have some problems here that's why it's not working but hey one link here link is up ha to peer link is up so this they're working what is telling me that actually that they are communicating but the only problem is that we don't have the license so peer device vm license no matching going to non-functional state so it's not actually working okay so if you remember the state was non-functional when there's error they're suspended if we switch it off for some reason for testing or something we have active passive and initial init or initializing stage okay so that okay so thank you for watching this video this was uh demonstrating how to configure high availability or active passive high availability and we only couldn't get it working because of the license i don't have two firewalls with a license because that would be crazy just for one video and you need about 800 pounds to buy this license but one of them is licensed and the other one is not licensed so that's why um it wasn't working but if it was both licensed that's how that's all the configuration thank you for watching lesson 12.5 lab active passive high availability this is of chapter 12 high availability please have a look at my other videos and don't forget to subscribe this has been astrid krasnich
Info
Channel: Astrit Krasniqi
Views: 2,766
Rating: undefined out of 5
Keywords: Active/Passive, High Availability, HA Prerequisites, Layer 3 link, Control Link (HA1), Data Link (HA2), Data Plane, Mgmt Plane, Dedicated HA Ports, Non-Dedicated HA Ports, HA Backup Links, Preempt, Active, Passive, Failure Detection, Heartbeats, Hellos, HA Timer
Id: Y_8n2mRQVQ8
Channel Id: undefined
Length: 16min 27sec (987 seconds)
Published: Mon Sep 14 2020
Related Videos
Palo Alto Firewall Training | HA
Network Direction
11K
Palo Alto Firewall Active Passive HA VMware Workstation Lab
MB Tech Talker
1.9K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Palo Alto Lesson: 9.8 Lab: User-ID
Astrit Krasniqi
1.6K
Troubleshooting Packet Flows (Episode 26) Learning Happy Hour
Palo Alto Networks LIVEcommunity
25K
CONFIGURE HA BETWEEN PALOALTO FIREWALL
Alam Trek
12K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
AWS re: Invent ARC 202: Architecting for High Availability & Multi-Availability Zones on AWS
Amazon Web Services
13K
Palo Alto Firewall Fundamentals (Hindi) | Palo Alto Firewall Training for Beginners
I-MEDITA (IT Training Academy)
16K
Configure Site-to-site IPSEC VPN Tunnel in Palo Alto Firewall
Sec-U-rity
13K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.