Palo Alto Firewall: Supercharge Ha Configuration For Active-passive High Availability!

Technical Security

มุมมอง 18 977

192

เพิ่มลงใน
- เพลย์ลิสต์ของฉัน
- ดูภายหลัง
แชร์

แชร์

ฝัง

ขนาดวิดีโอ:

แสดงแผงควบคุมโปรแกรมเล่น

เล่นอัตโนมัติ

เล่นใหม่

เผยแพร่เมื่อ 8 ก.พ. 2025
In this video, we'll show you how to supercharge your ha configuration for active-passive high availability!
By following our tips, you'll be able to create an active-passive high availability environment that will make your web applications bulletproof! This is a great video for anyone who is looking to improve their web application security or who is looking to set up an active-passive high availability environment for their business.
In this video, we'll show you how to supercharge your ha configuration for active-passive high availability!By following our tips, you'll be able to create an active-passive high availability environment that will make your web applications bulletproof! This is a great video for anyone who is looking to improve their web application security or who is looking to set up an active-passive high availability environment for their business.#firewall #paloalto #paloaltofirewall #paloaltonetworks Active Passive High Availability, Configuring HA - Palo AltoActive Passive High Availability, Configuring HAPalo Alto Networks Firewall.Active Passive High Availability environment

ความคิดเห็น • 10

@yethrodebemorir ปีที่แล้ว ⁺³
For those asking about cabling, there are some considerations
First, there are some firewalls with dedicated HA1 and HA2 ports and they are labeled. Those have no further mistery, you just connect HA1 of FW1 to HA1 of FW2 and HA2 of FW1 to HA2 of FW2.
For firewalls that have no dedicated HA ports, the best practice is to use the Management ports as HA1 (control) link.
-
The two main ways of doing this are
1. Directly connecting the Management interfaces of both NGFWs. Connecting MGMT of FW1 to MGMT of FW2 and set them both as HA1.
2. Connecting both Magament interfaces to a switch and still set them both as HA1.
-
Way 1. is simpler and may be better for smaller networks. Its greatest disadvantage is that you can no longer access the out of band Management port, you'd have to assign an in-band data interface as a Management one (ideally putting it in your separate administration network with its dedicated VLAN, etc...)
Way 2. is the best for bigger, more complex networks. The only disadvantage it has is that the switch working as an intermediary for both Management/HA1 ports is a new point of failure. Ergo, if the switch fails, the HA fails.
But this method allows you to still access the Management interfaces for management purposes as they keep the HA1 communication at the same time as you access them, they even use separate IPs for each task, its pretty much as if you had created a management subinterface for HA1.
If concerned about traffic spoofing, you can enable encryption for the HA1 (control link) connection.
-
For HA2, in any of those 2 cases you just assign an in-band data port as HA type and set it up as HA2 in Device --> HA --> HA communications
-
Still, in my experience, the best thing to do is to just set up 2 data ports as HA type and use one for HA1 and the other for HA2, but I am not a Best Practice Expert, just a silly little dude.
@ajibolayusuf2057 ปีที่แล้ว
Wow! Your explanation is so clean and understandable! Thank you!
@RishiRap ปีที่แล้ว
Awesome video with all relevant details!
@NamLe-fl4sz ปีที่แล้ว
From VietNam. Thankss
@colbyc3129 ปีที่แล้ว ⁺¹
Does the IPs listed in Peer HA1 matter if they are publicly routable If the pair are directly connected?
@InzamamShahid-q4b ปีที่แล้ว
How should the interfaces be cabled up?
Should they connect to each other directly or via switches?
@robinjohn2587 ปีที่แล้ว
Can be connected directly between the two firewalls
@malcolmlobo5291 ปีที่แล้ว
Yes they can be connected directly to each other
@animal9470 ปีที่แล้ว
What about cabling...
@yethrodebemorir ปีที่แล้ว
@animal9470
There are some considerations. First, there are some Palo Alto NGFWs with dedicated HA1 and HA2 ports and they are labeled. Those have no further mistery, you just connect HA1 of FW1 to HA1 of FW2 and HA2 of FW1 to HA2 of FW2.
For firewalls that have no dedicated HA ports, the best practice is to use the Management ports as HA1 (control) link.
-
The two main ways of doing this are
1. Directly connecting the Management interfaces of both NGFWs. Connecting MGMT of FW1 to MGMT of FW2 and set them both as HA1.
2. Connecting both Magament interfaces to a switch and still set them both as HA1.
-
Way 1. is simpler and may be better for smaller networks. Its greatest disadvantage is that you can no longer access the out of band Management port, you'd have to assign an in-band data interface as a Management one (ideally putting it in your separate administration network with its dedicated VLAN, etc...)
Way 2. is the best for bigger, more complex networks. The only disadvantage it has is that the switch working as an intermediary for both Management/HA1 ports is a new point of failure. Ergo, if the switch fails, the HA fails.
But this method allows you to still access the Management interfaces for management purposes as they keep the HA1 communication at the same time as you access them, they even use separate IPs for each task, its pretty much as if you had created a management subinterface for HA1.
If concerned about traffic spoofing, you can enable encryption for the HA1 (control link) connection.
-
For HA2, in any of those 2 cases you just assign an in-band data port as HA type and set it up as HA2 in Device --> HA --> HA communications

ต่อไป

เล่นอัตโนมัติ

#PaloAltofirewallTraining | DAY 35 | High Availability | Failover | Split brain Configuration | LAB