Migrate Active/Passive HA on AWS to Secondary IP Mode
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable ZRAM on the VM-Series Firewall
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Install a License API Key
- Use Panorama-Based Software Firewall License Management
-
- Maximum Limits Based on Memory
- Activate Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a FW-Flex License
- Transfer Credits
- Renew Your Software NGFW Credit License
- Deactivate License (Software NGFW Credits)
- Create and Apply a Subscription-Only Auth Code
- Migrate to a Flexible VM-Series License
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- VM-Series Firewall for NSX-V Deployment Checklist
- Install the VMware NSX Plugin
- Apply Security Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Dynamically Quarantine Infected Guests
- Migrate Operations-Centric Configuration to Security-Centric Configuration
- Add a New Host to Your NSX-V Deployment
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
- Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
-
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Enable the Use of a SCSI Controller
- Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
End-of-Life (EoL)
Migrate Active/Passive HA on AWS to Secondary IP Mode
Learn more about migrating between to secondary-IP from
interface-move mode on the VM-Series firewall on AWS.
Complete the following procedure to migrate
your existing VM-Series firewall HA pair from interface-move HA
to secondary-IP HA.
Secondary IP Move HA requires VM-Series
plugin 2.0.1 or later.
- Upgrade the VM-Series Plugin on the passive HA peer and then the active peer.
- Create secondary IP address for all data interfaces on
the active peer.
- Log in to the AWS EC2 console.
- Select Network Interface and then choose then select your network interface.
- Select ActionsManage IP AddressesIPv4 AddressesAssign new IP.
- Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the VM-Series firewall.
- Click Yes and Update.
- Associate a secondary Elastic (public) IP address with
the untrust interface of the active peer.
- Log in to the AWS EC2 console.
- Select Elastic IPs and then choose then select the Elastic IP address to associate.
- Select ActionsAssociate Elastic IP.
- Under Resource Type, select Network Interface.
- Chose the network interface with which to associate the Elastic IP address.
- Click Associate.
- Create a route table pointing the subnet containing the
trust interface.
- Select Route TablesCreate route table.
- (Optional) Enter a descriptive Name tag for your route table.
- Select your VPC.
- Click Create.
- Select Subnet AssociationsEdit subnet associations.
- Select the Associate checkbox for the subnet containing the trust interface.
- Click Save.
- Update the IAM roles with additional actions and permissions
required to migrate to secondary IP move HA.
IAM Action, Permission, or Resource Description AssociateAddressFor permissions to move public IP addresses associated with the primary IP addresses from the passive to active interfaces.AssignPrivateIpAddressesFor permissions to move secondary IP addresses and associated public IP addresses from the passive to active interfaces.UnassignPrivateIpAddressFor permissions to unassign secondary IP addresses and associated public IP addresses from interfaces on the active peer.DescribeRouteTablesFor permission to retrieve all route tables associated to the VM-Series firewall instances.ReplaceRouteFor permission to update the AWS route table entries.GetPolicyVersion For permission to retrieve AWS policy version information. GetPolicy For permission to retrieve AWS policy information. ListAttachedRolePolicies For permission to retrieve the list of all managed policies attached to a specified IAM role. ListRolePolicies For permission to retrieve a list of the names of inline policies embedded in a specified IAM role. GetRolePolicy For permission to retrieve a specified inline policy embedded in a specified IAM role. policy For permission to access the IAM policy Amazon Resource Name (ARN).roleFor permission to access the IAM roles ARN.route-tableFor permission to access the route table ARN.Wild card (*)In the ARN field use the * as a wild card. - Create new interfaces (ENIs) on the passive firewall
in the same subnet as the active firewall data interfaces.Do not assign secondary IP addresses to these new interfaces.
- Open the Amazon EC2 console.
- Select Network InterfacesCreate Network Interfaces.
- Enter a descriptive Name for your new interface.
- Under Subnet, select the subnet of the untrust interface of the active firewall.
- Under Private IP, leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the untrust interface of the active firewall.
- Under Security groups, select one or more security groups.
- Select Yes and Create.
- Select ActionsChange Source/Dest. Check and select Disable.
- Repeat these steps for the subnet of the trust interface of the active firewall.
- Attach the new ENIs to the passive firewall instance.
You must attach these ENIs to the passive firewall in the correct
order because the secondary IP HA method is based on the network
interface index assigned by AWS. For example, if eth1/2 on the active
firewall is part of subnet A and eth1/3 is part of subnet B, then
you must attach the interface that is part of subnet A and the interface
that is part of subnet B. In this example, AWS has assigned an index
value of 2 to eth1/2 and a value of 3 to eth1/3. This indexing must
be maintained for the failover to occur successfully.
- To attach the ENIs created above, select the untrust interface your created and click Attach.
- Select the Instance ID of the of the passive firewall and click Attach.
- Repeat these steps for the trust interface.
- Log into the passive and set the interfaces to get their
IP addresses through DHCP.
- Log in to the passive VM-Series firewall web interface.
- Select NetworkInterfaces.
- Click on the first data interface.
- Select IPv4.
- Select DHCP Client.
- On the untrust interface only, select Automatically create default route pointing to default gateway provided by server.
- Click OK.
- Repeat this process for each data interface.
- If you have configure any NAT policies on the VM-Series
firewall that reference the private IP addresses of the data interfaces,
those policies must be updated to reference the newly assigned secondary
IP addresses instead.
- Access the web interface of the active VM-Series firewall.
- Select PoliciesNAT.
- Click on the NAT policy rule to be modified and then Translated Packet.
- Under Translated Address, click Add and enter the secondary IP address created in AWS.
- Delete the primary IP address.
- Click OK.
- Repeat these steps as necessary.
- Commit your changes.
- Enable secondary IP HA failover mode.
- Access the VM-Series firewall CLI on the active peer.
- Execute the following command.request plugins vm_series aws ha failover-mode secondary-ip
- Commit your changes.
- Comfirm your HA mode by executing the following command.show plugins vm_series aws ha failover-mode
- Repeat this command on the passive peer.
- After your finish configuring HA on both firewalls, verify
that the firewalls are paired in active/passive HA.
- Access the Dashboard on both firewalls and view the High Availability widget.
- On the active HA peer, click Sync to peer.
- Confirm that the firewalls are paired and synced.
- On the passive firewall: the state of the local firewall should display Passive and the Running Config should show as Synchronized.
- On the active firewall: the state of the local firewall should display Active and the Running Config should show as Synchronized.
- From the firewall command line interface, execute
the following commands:
- To verify failover readiness:show plugins vm_series aws ha state
- To show secondary IP mapping :show plugins vm_series aws ha ips