Recomended but not enforced. Ensure ⇐ 20ms latency between HA members.
If HA2 Backup has been configured but isn't showing on the dashboard widget on one or both of the firewalls in the HA pair, reboot the firewall(s) and it should appear on reboot.
If you are active/passive HA with the HA2 link going throught switches, you must use “IP” as the transport type. When using “ethernet” as the transport, once the initial handshake is complete between the active and passive, the passive Palo stops transmitting on HA2. Once that MAC ages out of the switches, then that HA traffic gets flooded every trunk that VLAN is enabled on.
Group ID must be unique because it is used to generate the Virtual MAC addresses for the data ports. If you have two HA pairs with the same group ID, they will have the same mac addresses on their data ports.
This section lays out the steps to replace a Palo Alto device that is in a HA pair. Based on a job I once did, we will make the following assumptions about the task:
Most of these steps you can get from this article on Palo Alto Networks knowledge base.
This section can be done without affecting anything on the existing HA setup. The faulty device will continue to run and the functional device will continue to run and nothing will happen to the configuration. At this point, the replacement device has still not been configured or placed on the network.
When the replacement device arrives at the client site, the client should register the device. This is done by logging into the support portal and clicking on the Assets tab. Under the Assets tab, they should click the Spares sub-tab and then click the Register New Device button. It is very important not to to click this button under the Devices tab. If they register the device under 'Devices', the licence transfer will not work properly. Palo Alto expect you to register replacement devices under Spares. You will need the replacement device serial number to register it.
Once the replacement device has been registered as a spare, transfer the licences of the faulty device over to the replacement device. Do this by clicking on the replacement device under the Spares tab and clicking Transfer Licences and selecting the licences you want to transfer.
You will find that, once the licences have been transferred, the device which has lost the licences will remain licenced for 30 days.
This section can be done without affecting anything on the existing HA setup. The faulty device will continue to run and the functional device will continue to run and nothing will happen to the configuration. At this point, the replacement device is being configured with a temporary IP.
Perform initial configuration on the replacement device. Configure the device with a temporary IP on the same subnet as the failing Palo Alto Networks firewall. Once the replacement device has been configured with IP, netmask, default gateway and DNS, plug it into the same subnet as the failing Palo Alto Networks firewall.
If the failing device is still accessible through the web interface, access it and make a note of the following. If the failing device is not accessible, use the remaining unit in the HA pair (in theory, there shouldn't be a difference between the two).
Export Device Access the replacement device through the web interface. Configure licences and updates. Make sure the software is on the correct version.
On both members of the HA pair, under Device→Setup→Operations Export the “named configuration snapshot” and the “device state”.
On the failing device (if possible), under Device→Setup and Device→High Availability, make a note of the management IP settings and the HA settings (particularly the IP addresses used).
On the working device in the HA pair, in Device→Certificate Management→Certificate, Export the HA Key.
Power off the failing device.
At this point, wait until close of business if it is critical that users do not experience any drop in traffic (e.g. if the Palo is passing SIP traffic for a call center).
Once it is okay to do so, on the working device in the HA pair:
Ensure that Device→High Availability→General→Setup→Enable Config Sync is unticked.
Ensure that Device→High Availability→General→Election Settings→Device Priority is 100 (which means it has a greater priority than the replacement device).
Ensure that Device→High Availability→General→Election Settings→Preemptive is unticked.
In Device→Certificate Management→Certificate, import the HA key of the replacement device.
Commit the changes.
Remove the faulty unit from the rack and replace it with the replacement unit. Make sure that all the cables are correctly connected and that the HA ports are properly wired up.
Power on the replacement device and connect to its web interface using the temporary IP address.
Import the device state of the failed device on to the replacement device. Do not commit.
Double check the management and HA settings.
Ensure that Device→High Availability→General→Setup→Enable Config Sync is unticked.
Ensure that Device→High Availability→General→Election Settings→Device Priority is 255 (highest number = lowest priority).
Ensure that Device→High Availability→General→Election Settings→Preemptive is unticked.
In Device→Certificate Management→Certificate import the HA key of the working device in the HA pair.
At this point, commit the changes to the replacement device. It will assume all the IP addresses of the device it is replacing.
On the active device (that was part of the original pair), click Sync to peer in the HA widget on the dash board.
After a few minutes, most of the boxes on both sides should go green. If some of the '* version' lights are red, compare the versions on both devices and update as necessary. Remember, the replacment will have the very latest sofwtare while the active member of the original pair may be not have the very latest version of updates yet.
The replacement should currently be passive. Once all lights are green, compare the running configs with Device→Config Audit Running Config and Peer's Running Config. There will be a few differences but only to some certificates and management and HA settings.
Then enable Config Sync and Preemptive in HA settings on both devices (active device first).
Commit changes.
At this point, you are fully up and running. To make the replacement device the primary active device, change its priority to 50 in Device→High Availability→General→Election Settings→Device Priority. Commit the change for it to take effect.
It may take several minutes for the devices to detect the new settings but, when they do, the pre-existing unit should hand control to the replacement unit. This will result in the replacement unit becoming the active unit and the pre-existing unit becoming the passive unit.