Configure Active/Passive HA on OCI
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable ZRAM on the VM-Series Firewall
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Install a License API Key
- Use Panorama-Based Software Firewall License Management
-
- Maximum Limits Based on Memory
- Activate Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a FW-Flex License
- Transfer Credits
- Renew Your Software NGFW Credit License
- Deactivate License (Software NGFW Credits)
- Create and Apply a Subscription-Only Auth Code
- Migrate to a Flexible VM-Series License
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- VM-Series Firewall for NSX-V Deployment Checklist
- Install the VMware NSX Plugin
- Apply Security Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Dynamically Quarantine Infected Guests
- Migrate Operations-Centric Configuration to Security-Centric Configuration
- Add a New Host to Your NSX-V Deployment
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
- Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
-
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Enable the Use of a SCSI Controller
- Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
End-of-Life (EoL)
Configure Active/Passive HA on OCI
You can configure a pair of VM-Series firewalls
on OCI in an active/passive high availability (HA)
configuration. To ensure uptime in an HA setup on OCI, you must
create a secondary, floating IP addresses that can quickly move
from one peer to the other. When the active firewall goes down,
the floating IP address moves from the active to the passive firewall
so that the passive firewall can seamlessly secure traffic as soon
as it becomes the active peer. In addition to the floating IP address,
the HA peers also need HA links—a control link
(HA1) and a data link (HA2)—to synchronize data and maintain state
information.
The VM-Series firewall for OCI in FIPS
mode does not support high availability.
To
allow the firewalls to move the floating IP address upon failover,
you must place the firewall instances in a dynamic group on OCI.
Dynamic groups allow you to group the firewall instances as principal
actors and create policy to allow the instances in the dynamic group
to make API calls against OCI services. You will use matching rules
to add the HA peer instances to the dynamic group and then create
the policy the floating IP from one VNIC to another.
Both
VM-Series firewalls in the HA pair must have the same number of
network interfaces. Each firewall requires a minimum of four interfaces—management,
untrust, trust, and HA. You can configure additional data interfaces
as required by your deployment.
- Management interface—the private and public IP addresses associated with the primary interface. You can use the private IP address on the management interface as the IP address for the HA1 interface between the peers. If you want a dedicated HA interface, you must attach an additional interface to each firewall, for a total of five interfaces each.
- Untrust and trust interfaces—each of these data interfaces on the active HA peer require a primary and secondary IP address. Upon failover, when the passive HA peer transitions to the active state, the secondary private IP address is detached from the previously active peer and attached to the now active HA peer.
- HA2 interface—this interface has a single private IP address on each HA peer. The HA2 interface is the data link peers use to synchronize sessions, forwarding tables, IPsec security associations, and ARP tables.
- Deploy the VM-Series Firewall From the Oracle Cloud Marketplace and set up
the network interfaces for HA.
- (Optional) Configure a dedicated
HA1 interface on each HA peer.
- From the OCI Console, select ComputeInstances and click on the name of your active peer instance.
- Select Attached VNICs and click Create VNIC.
- Enter a descriptive name for your HA1 interface.
- Select the VCN and subnet.
- Enter a private IP address.
- Click Create VNIC.
- Repeat this process on your passive peer instance.
- Configure an HA2 interface on each HA peer.
- From the OCI Console, select ComputeInstances and click on the name of your active peer instance.
- Select Attached VNICs and click Create VNIC.
- Enter a descriptive name for your HA2 interface.
- Select the VCN and subnet. The HA2 interface should be on a separate subnet from your data interfaces.
- Enter a private IP address.
- Click Create VNIC.
- Repeat this process on your passive peer instance.
- Add a secondary IP address to your dataplane interfaces
on the active peer.
- From the OCI Console, select ComputeInstances and click on the name of your active peer instance.
- Select Attached VNICs and click on your untrust VNIC.
- Select IP Addresses and click Assign Private IP Address.
- Enter the IP address and click Assign.
- Repeat this procedure for each dataplane interface on your active peer.
- (Optional) Configure a dedicated
HA1 interface on each HA peer.
- Create security rules to allow the HA peers to synchronize
data and maintain state information. By default, OCI allows ICMP
traffic only. You must open the necessary HA ports.
- Open the ports for your HA1 interface.
- From the OCI Console, select NetworkingVirtual Cloud Networks and select your VCN.
- Select Subnets and select the subnet containing your HA1 interface.
- Select Security Lists and click the default security list to edit it.
- Click Add Ingress Rule.
- Enter the Source CIDR that includes the HA peer HA1 port IP address.
- Select TCP from the IP Protocol drop-down.
- Click +Additional Ingress Rule. You need to create two additional rules for TCP ports 28260 and 28769.
- If encryption is enabled on your VM-Series firewall for the HA1 link, create an additional rules for ICMP and TCP port 28.
- Click Add Ingress Rules.
- Open the ports for your HA2 interface.
- From the OCI Console, select NetworkingVirtual Cloud Networks and select your VCN.
- Select Subnets and select the subnet containing your HA2 interface.
- Select Security Lists and click the default security list to edit it.
- Click Add Ingress Rule.
- Enter the Source CIDR that includes the HA peer HA2 port IP address.
- Select UDP or IP from the IP Protocol drop-down.
- If the transport mode is UDP, enter 29281 into Source Port Name. If the transport mode is IP, enter 99 into Source Port Name.
- Click Add Ingress Rules.
- Open the ports for your HA1 interface.
- Add both HA peers to a dynamic group and create policy
that allows the HA peers to move the floating IP address. You must
have the OCID of each HA peer instance to build the dynamic group
matching rules, so have those on hand to past into the rule builder.
- Create the dynamic group.
- From the OCI Console, select IdentityDynamic GroupsCreate Dynamic Group.
- Enter a descriptive Name for your dynamic group.
- Click Rule Builder.
- Select Any of the following rules from the first drop-down.
- Select Match instances with ID: from the Attributes drop-down and paste one of the peer OCIDs into the Value field.
- Click +Additional Line.
- Select Match instances with ID: from the Attributes drop-down and paste the other peer OCID into the Value field.
- Click Add Rule.
- Click Create Dynamic Group.
- Create the policy rule.
- From the OCI Console, select IdentityPoliciesCreate Policy.
- Enter a descriptive Name for your policy.
- Enter the first policy statement.Allow dynamic-group <dynamic_group_name> to use virtual-network-family in compartment <compartment_name>
- Click +Another Statement.
- Enter the second policy statement.Allow dynamic-group <dynamic_group_name> to use instance-family in compartment <compartment_name>
- Click Create.
- Create the dynamic group.
- Configure
the interfaces on the firewall. You must configure the HA2 data
link and at least two Layer 3 interfaces for your untrust and trust interfaces.
Complete this workflow on the first HA peer and then repeat the
steps on the second HA peer.
- Log in to the firewall web interface.
- (Optional) If you are using the management
interface as HA1, you must set the interface IP Type to static and
configure a DNS server.
- Select DeviceSetupInterfacesManagement.
- Set the IP Type to Static.
- Enter the private IP address of the primary VNIC of your VM-Series firewall instance.
- Click OK.
- Select DeviceSetupServices.
- Click Edit.
- Enter the IP address of the Primary DNS Server.
- Click OK.
- Commit your changes.
- Select NetworkInterfacesEthernet and click on your untrust interface. In this example, the HA2 interface is 1/1, the trust interface is ethernet 1/2, and the untrust interface is ethernet 1/3.
- Click the link for ethernet 1/1 and
configure as follows:
- Interface Type: HA
- Click the link for ethernet 1/2 and
configure as follows:
- Interface Type: Layer3
- On the Config tab, assign the interface to the default router.
- On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example trust-zone, and then click OK.
- On the IPv4 tab, select either Static.
- Click Add in the IP section and enter the primary IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your trust zone, make sure you assign the trust vNIC IP address configured in your VCN.
- Click Add in the IP section and enter the secondary, floating IP address and network mask.
- Click the link for ethernet 1/3 and
configure as follows:
- Interface Type: Layer3
- On the Config tab, assign the interface to the default router.
- On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example untrust-zone, and then click OK.
- On the IPv4 tab, select either Static.
- Click Add in the IP section and enter the primary IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address configured in your VCN.
- Click Add in the IP section and enter the secondary, floating IP address and network mask.
- Enable
HA.
- Select DeviceHigh AvailabilityGeneral.
- Edit the Setup settings.
- Enter the private IP address of the passive peer in the Peer HA1 IP address field.
- Click OK.
- (Optional) Edit the Control Link (HA1). If you do not plan to use the management interface for the control link and have added an additional interface (for example ethernet 1/4), edit this section to select the interface to use for HA1 communication.
- Edit the Data Link (HA2) to use Port ethernet 1/1 and add the IP address of active peer and the Gateway IP address for the subnet.
- Select IP or UDP from the Transport drop-down. Ethernet is not supported.
- Click OK.
- Commit your changes.
- Repeat step 4 and step 5 on the passive HA peer.
- After your finish configuring HA on both firewalls, verify
that the firewalls are paired in active/passive HA.
- Access the Dashboard on both firewalls and view the High Availability widget.
- On the active HA peer, click Sync to peer.
- Confirm that the firewalls are paired and synced.
- On the passive firewall: the state of the local firewall should display Passive and the Running Config should show as Synchronized.
- On the active firewall: the state of the local firewall should display Active and the Running Config should show as Synchronized.