HOW TO CONFIGURE PALO ALTO HIGH AVAILABILITY

NETWORK TOPOLOGY PAN OS VER 11

ACTIVE/PASSIVE WITH LINK MONITORING
Step1: Configure the interfaces in High Availability Mode

In this step, we will configure the data plane interfaces in High Availability
mode.

Navigate to Network > Interface > Ethernet > select interface Name and
select interface type HA.
Step2: Configure the High Availability on First Palo Alto Networks
Firewall

Navigate to Device > High Availability > General > Setup and enable the
High Availability and configure the Group ID. Select mode as Active-
Passive, define peer HA1 IP address, and click on Ok.
select the Active Passive Settings and configure Passive Link State to Auto
to ensure a faster failover.
Navigate to Election settings and define the Device Priority and
Preemption settings.

navigate to the Device > High Availability > HA Communication and

define the HA1 and HA2 links. Select the HA1 and define the Port and IP
Address.

Also edit the HA2 configuration under the Data Links and define the port,
IP address, and Transport method.
If the HA2 is connected back-to-back, you can select Transport method as
ethernet, and do not need to define the IP Address.

Then commit change from candidate configuration to running

configuration.
Same configuration to be done on second firewall device. With difference
on Device Priority, Peer IP and Same Group ID.

Thereafter Commit all the changes and navigate to the Dashboard > High
Availability Widget on First Palo Alto Firewall to get the High Availability
information.
ACTIVE FIREWALL

Running configurations are synced across and the rest of the services are
matched.
PASSIVE FIREWALL
Link and Path monitoring. If any link state goes down on the active device
failover occurs. Also you can configure path Group which uses ICMP
pings to a given destination to validate f there’s a service.

Prepared by Dani ISSAI