3/27/2021 0 Comments Palo Alto Eve Ng
If we go back to Device High Availability, we now have a new tab.I will cover setting up failure conditions in a separate post.We have a pair of Palo Alto VM-100 devices running in EVE-NG.These are connected to each other using ethernet 13 (HA1) and ethernet15 (HA2).
Firewall 1 High Availability settings The first step is to set the interface type on the two interfaces (Network Interfaces Ethernet) to a type HA: The next step is to go to Device High Availability General and click on Setup. The mode I am using is Active Passive, and we enter the Peer HA 1 IP address. Next, we set the Control Link (Device High Availability General Control Link (HA1)). The control link is where we exchange hellos, heartbeats and High Availability state information. It also does management plan sync for routing and User-ID information, and it also over this link that we synchronize our settings with the peer firewall. I am using 10.104.140.124 for firewall 1, firewall 2 will be using 10.104.140.224. ![]() After this, we configure the Data link (HA2) settings (Device High Availability General Data Link (HA2)). I am using eth15 and the IP address 10.104.141.1. We are also enabling session synchronization, and the HA2 keep-alive. The HA2 data link is for session synchronization (as you might have guessed by the tickbox), forwarding tables, and IPSec security associations. One of the firewalls should be the preferred one, the one that will be most active. We do this by setting the priority under Device High Availability General Election Settings. ![]() The heartbeat is pretty important, so I will quote directly from Palo Alto: Enabling heartbeat backup also allows you to prevent a split-brain situation. Split brain occurs when the HA1 link goes down causing the firewall to miss heartbeats, although the firewall is still functioning. In such a situation, each peer believes that the other is down and attempts to start services that are running, thereby causing a split brain. When the heartbeat backup link is enabled, split brain is prevented because redundant heartbeats and hello messages are transmitted over the management port. This reduces the amount of time it takes for the passive firewall to take over when a failover occurs and it allows you to monitor the link state. Firewall 2 High Availability settings I am just going to post the pictures here. Setup: Control Link: ActivePassive settings: Data Link HA2: Election: Once both firewalls have had their changes committed, we should be good to go and do some testing. Testing High Availability Theres a cool little widget for your dashboards available Here is the active node (10.104.140.1): Here is the passive (10.104.140.2): All is nice and healthy So, lets test.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |