Set up Active/Passive HA on Azure
Table of Contents
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- IPv6 Support on Public Cloud
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable NUMA Performance Optimization on the VM-Series
- Enable ZRAM on the VM-Series Firewall
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Use Panorama-Based Software Firewall License Management
-
- Maximum Limits Based on Tier and Memory
- Activate Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Transfer Credits
- Renew Your Software NGFW Credits
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Set the Number of Licensed vCPUs
- Customize Dataplane Cores
- Migrate a Firewall to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
-
- Use AWS Secrets Manager to Store VM-Series Certificates
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
- Intelligent Traffic Offload
- Software Cut-through Based Offload
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series with the Azure Gateway Load Balancer
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Deploy the VM-Series Firewall on Azure Stack HCI
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use Azure Key Vault to Store VM-Series Certificates
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Azure Stack HCI
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
Set up Active/Passive HA on Azure
Set up the VM-Series firewall on Azure in a high availability
set up using the VM-Series plugin.
You can configure a pair of VM-Series firewalls
on Azure in an active/passive high availability (HA) configuration.
For HA on Azure, you must deploy both firewall HA peers within the
same Azure Resource Group and you must install the same version
of the VM-Series Plugin on both HA
peers.
- Set up Active/Passive HA on Azure (North-South & East-West Traffic)—If you have an internet-facing application deployed on your Azure infrastructure, and you need to secure north-south traffic, you require a floating IP address to secure traffic on failover. This floating IP address, which enables external connectivity, is always attached to the active peer. On failover, the process of detaching the IP address and reattaching it to the now active peer can take a few minutes.
- Set up Active/Passive HA on Azure (East-West Traffic Only)—If your application access and security requirements are contained within the Azure infrastructure and you need to secure east-west traffic only, you do not need a floating IP address. Instead, the HA implementation automatically reconfigures the UDRs in the Azure routing tables to provide a faster failover time.
All VM-Series
firewall interfaces must be assigned an IPv4 address when deployed
in a public cloud environment. IPv6 addresses are not supported.
To
enable HA on the VM-Series firewall on Azure, you must create an
Azure Active Directory application and Service Principal that includes the
permissions listed in the table below.
Azure HA Type | Permissions | Role Scope |
---|---|---|
Secondary IP Move HA | "Microsoft.Authorization/*/read""Microsoft.Compute/virtualMachines/read""Microsoft.Network/networkInterfaces/*""Microsoft.Network/networkSecurityGroups/*""Microsoft.Network/virtualNetworks/join/action""Microsoft.Network/virtualNetworks/subnets/join/action" The
following permissions are required only if you have assigned a public
IP address to any of your data interfaces. Standard SKU interface
is recommended. "Microsoft.Network/publicIPAddresses/join/action""Microsoft.Network/publicIPAddresses/read""Microsoft.Network/publicIPAddresses/write" |
|
UDR HA | "Microsoft.Authorization/*/read""Microsoft.Compute/virtualMachines/read""Microsift.Network/routeTables/*" |
|
Secondary IP Move and UDR | "Microsoft.Authorization/*/read""Microsoft.Compute/virtualMachines/read""Microsoft.Network/networkInterfaces/*""Microsoft.Network/networkSecurityGroups/*""Microsoft.Network/routeTables/*""Microsift.Network/virtualNetworks/join/action""Microsoft.Network/virtualNetworks/subnets/join/action" The
following permissions are required only if you have assigned a public
IP address to any of your data interfaces. Standard SKU interface
is recommended. "Microsoft.Network/publicIPAddresses/join/action""Microsoft.Network/publicIPAddresses/read""Microsoft.Network/publicIPAddresses/write" |
|
Set up Active/Passive HA on Azure (North-South & East-West Traffic)
If you want to secure north-south traffic
to your applications in your Azure infrastructure, use this workflow
with floating IP addresses that can quickly move from one peer to
the other. Because you cannot move the IP address associated with
the primary interface of the firewall on Azure, you need to assign
a secondary IP address that can function as a floating IP address.
When the active firewall goes down, the floating IP address moves
from the active to the passive firewall so that the passive firewall
can seamlessly secure traffic as soon as it becomes the active peer.
In addition to the floating IP address, the HA peers also need HA links—a control link
(HA1) and a data link (HA2)—to synchronize data and maintain state
information.
Set up the Firewalls for Enabling HA
Gather the following details for configuring
HA on the VM-Series firewalls on Azure.
- Set up the Active Directory application
and a Service Principal to enable programmatic
API access.
- For the firewall to interact with the Azure APIs, you need to create an Azure Active Directory Service Principal. This Service Principle has the permissions required to authenticate to the Azure AD and access the resources within your subscription.To complete this set up, you must have permissions to register an application with your Azure AD tenant, and assign the application to a role in your subscription. If you don't have the necessary permissions, ask your Azure AD or subscription administrator to create a Service Principal. See the table above for the required permissions. Copy the following details for use later in this workflow:
- Client ID—The Application ID associated with the Active Directory (On the Azure portal, click HomeAzure Active DirectoryApp registrations, select your application and copy the ID).
- Tenant ID—The Directory ID associated with the Active Directory (On the Azure portal, click HomeAzure Active DirectoryPropertiesDirectory ID, select the application and copy the ID).
- Azure Subscription ID—The Azure subscription in which you have deployed the firewalls. You must login to your Azure portal to get this subscription ID.
- Resource Group Name— The resource group name in which you have deployed the firewalls that you want to configure as HA peers. Both firewalls must be in the same resource group.
- Secret Key—The authentication key associated with the Active Directory application (On the Azure portal, click HomeAzure Active DirectoryCertificates & secrets, copy the Value under Client secrets. If you do not have a Secret Key, create one first, then copy the value). To log in as the application, you must provide both the key value and the Application ID.
- Know where to get the templates you need to deploy the
VM-Series firewalls within the same Azure Resource Group.For an HA configuration, both HA peers must belong to the same Azure Resource Group. If you deploy the first instance of the firewall from the Azure Marketplace, and must use your custom ARM template or the Palo Alto Networks sample GitHub template for deploying the second instance of the firewall into the existing Resource Group. The reason you need a custom template or the Palo Alto Networks sample template is because Azure does not support the ability to deploy the firewall in to an Resource Group that is not empty.Copy the deployment information for the first firewall instance. For example:
- Match the VM Name of VM-Series firewall as shown in the screenshot above with the Hostname on the firewall web interface. You must add the same name on DeviceSetupManagement, because the hostname of the firewall is used to trigger failover.
- Plan the network interface configuration on the VM-Series
firewalls on Azure. To set up HA, you must deploy both HA peers within the same Azure Resource Group and both firewalls must have the same number of network interfaces. A minimum of four network interfaces is required on each HA peer:
- Management interface (eth0)—Private and public IP address associated with the primary interface. The public IP address enables access to the firewall web interface and SSH access.You can use the private IP interface on the management interface as the HA1 peer IP address for the control link communication between the active/passive HA peers. If you want a dedicated HA1 interface, you must attach an additional network interface on each firewall, and this means that you need five interfaces on each firewall.
- Untrust interface (eth1/1)—Primary private IP address with /32 netmask, and secondary IP configuration with both a private IP address (any netmask) and a public IP address.On failover, when the passive peer transitions to the active state, the public IP address associated with the secondary IP configuration is detached from the previously active peer and attached to the now active HA peer.
- Trust interface (eth1/2)—Primary and secondary private IP addresses. On failover, when the passive peer transitions to the active state, the secondary private IP address is detached from the previously active peer and is attached to the now active HA peer.
- HA2 (eth 1/3)—Primary private IP address. The HA2 interface is the data link that the HA peers use for synchronizing sessions, forwarding tables, IPSec security associations and ARP tables.
Interface Active firewall peer Passive firewall peer Description Trust Secondary IP address — The trust interface of the active peer requires a secondary IP configuration that can float to the other peer on failover. This secondary IP configuration on the trust interface must be a private IP address with the netmask of the servers that it secures. On failover, the VM-Series plugin calls the Azure API to detach this secondary private IP address from the active peer and attach it to the passive peer. Attaching this IP address to the now active peer ensures that the firewall can receive traffic on the floating IP on the untrust interface and send it through to the floating IP on the trust interface and on to the workloads. Untrust Secondary IP address — The untrust interface of the firewall requires a secondary IP configuration that includes a static private IP address with a netmask for the untrust subnet, and a public IP address for accessing the back-end servers or workloads over the internet. On failover, the VM-Series plugin calls the Azure API to detach the secondary IP configuration from the active peer and attach it to the passive peer before it transitions to the active state. This process of floating the secondary IP configuration, enables the now active firewall to continue processing inbound traffic that is destined to the workloads. HA2 Add a NIC to the firewall from the Azure management console. Add a NIC to the firewall from the Azure management console. On the active and passive peers, add a dedicated HA2 link to enable session synchronization.The default interface for HA1 is the management interface, and you can opt to use the management interface instead of adding an additional interface to the firewall. For enabling data flow over the HA2 link, you need to add an additional network interface on the Azure portal and configure the interface for HA2 on the firewall.
Configure Active/Passive HA on the VM-Series Firewall on Azure
In this workflow, you deploy the first instance
of the VM-Series firewall using the VM-Series firewall solution
template in the Azure marketplace, and the second instance of the
firewall using the sample GitHub template.
The
authentication key (client secret) associated with the Active Directory
application required for setting up the VM-Series firewall in an
HA configuration, is encrypted with VM-Series plugin version 1.0.4
on the firewall and on Panorama. Because the key is encrypted in VM-Series
plugin version 1.0.4, you must install the same version of the plugin
on Panorama and the managed VM-Series firewalls in order to centrally
manage the firewalls from Panorama.
- Deploy the VM-Series
firewall using a solution template and set up the network
interfaces for HA.
- Add a secondary IP configuration to the untrust interface of the firewall.You must attach the secondary IP configuration—with a private IP address (any netmask) and a public IP address—to the firewall that will be designated as the active peer. The secondary IP configuration always stays with the active HA peer, and moves from one peer to the another when a failover occurs.In this workflow, this firewall will be designated as the active peer. The active HA peer has a lower numerical value for device priority that you configure as a part of the HA configuration on the firewall, and this value indicates a preference for which firewall assumes the role of the active peer.
- Add a secondary IP configuration to the trust interface of the firewall.The secondary IP configuration for the trust interface requires a static private IP address only. This IP address moves from the active firewall to the passive firewall on failover so that traffic flows through from the untrust to the trust interface and to the destination subnets that the firewall secures.
- Attach a network interface for the HA2 communication between the firewall HA peers.
- Add a subnet within the virtual network.
- Set up your route table on Azure.Your next hop should point to the floating IP address as shown here:
- Configure
the interfaces on the firewall.Complete these steps on the active HA peer, before you deploy and set up the passive HA peer.
- Log in to the firewall web interface.
- Configure ethernet 1/1 as the untrust interface and
ethernet 1/2 as the trust interface.Select NetworkInterfaces and configure as follows:
- Configure ethernet 1/3 as the HA interface.To set up the HA2 link, select the interface and set Interface Type to HA. Set link speed and duplex to auto.
- Configure
the VM-Series plugin to authenticate to the Azure resource group
in which you have deployed the firewall.Set up the Azure HA configuration on the VM-Series plugin.To encrypt the client secret, use the VM-Series plugin version 1.0.4 or later. If using Panorama to manage your firewalls, you must install the VM-Series plugin version 1.0.4 or later.
- Select DeviceVM-Series to enable programmatic access between the firewall plugin and the Azure resources.
- Enter the Client ID. The client ID is the Application ID associated with your Azure Active Directory application.
- Enter the Client Secret and re-enter it to confirm.
- Enter the Tenant ID. The tenant ID is the Directory ID you saved when you set up the Active Directory application.
- Enter the Subscription ID for the Azure subscription you want to monitor.
- Enter the Resource Group name.
- (For Azure Stack deployments only) Enter the Resource Mgr Endpoint URL. This field is mandatory ONLY for Azure Stack deployments. Do not enter a value for this field if you are using a regular Azure Cloud deployment; HA failover will not succeed if you specify the Resource Mgr Endpoint URL for a regular Azure Cloud deployment.This field is available in VM-Series plugin 2.1.2 and later.
- Click Validate to verify that the keys and IDs you entered are valid, and that VM-Series plugin can successfully communicate with the Azure resources using the API.
- Enable
HA.
- Select DeviceSetupHA.
- Enter Peer HA1 IP address as the private IP address of the passive peer.
- (Optional) Edit the Control Link (HA1). If you do not plan to use the management interface for the control link and have added an additional interface (for example ethernet 1/4), edit this section to select the interface to use for HA1 communication.
- Edit the Data Link (HA2) to use Port ethernet 1/3 and add the IP address of this peer and the Gateway IP address for the subnet. While choosing the transport mode, note that UPD is the only supported transport mode in Azure environments. While choosing the transport mode, note that UPD is the only supported transport mode in Azure environments.
- Commit the changes.
- Set up the passive HA peer within the same Azure Resource
Group.
- Deploy the second instance of the firewall.
- Download the custom template and parameters file from GitHub.
- Log in to the Azure Portal.
- Search for custom template and select Deploy from a custom template.
- Select Build your own template in the editorLoad file.
- Select the azuredeploy.json that you downloaded earlier, and Save.
- Complete the inputs, agree to the terms and Purchase.Make sure to match the following inputs to that of the firewall instance you have already deployed— Azure subscription, name of the Resource Group, location of the Resource Group, name of the existing VNet into which you want to deploy the firewall, VNet CIDR, Subnet names, Subnet CIDRs, and start the IP address for the management, trust and untrust subnets.
- Repeat Step 1and Step 2to set up the interfaces and configure the firewall as the passive HA peer.
- Skip Step 3 and complete Enable HA (Step 5). In Step 4 modify the IP addresses as appropriate for this passive HA peer.
- Deploy the second instance of the firewall.
- After you finish configuring both firewalls, verify that
the firewalls are paired in active/passive HA.
- Access the Dashboard on both firewalls, and view the High Availability widget.
- On the active firewall, click the Sync to peer link.
- Confirm that the firewalls are paired and synced, as shown as follows:
- On the passive firewall: the state of the local firewall should display passive and the Running Config should show as synchronized.
- On the active firewall: The state of the local firewall should display active and the Running Config should show as synchronized.
- On the passive peer, verify that the VM-Series plugin configuration is now synced.Select DeviceVM-Series and validate that you can view the Azure HA configuration that you had omitted configuring on the passive peer.
Set up Active/Passive HA on Azure (East-West Traffic Only)
If your resources are all deployed within
the Azure infrastructure and you do not need to enforce security
for north south traffic to the Azure VNet, you can deploy a pair
of VM-Series firewalls in an active/passive high availability (HA)
configuration without floating IP addresses. The HA peers will still
need HA links—a control link
(HA1) and a data link (HA2)—to synchronize data and maintain state
information.
You must have the VM-Series Plugin version
1.0.9 or later, and you must deploy both firewall HA peers within
the same Azure Resource Group.
Set up the Firewalls for Enabling HA
Gather the following details for configuring
HA on the VM-Series firewalls on Azure.
- Set up the Active Directory application
and a Service Principal to enable programmatic
API access.
- For the firewall to interact with the Azure APIs, you need to create an Azure Active Directory Service Principal. This Service Principle has the permissions required to authenticate to the Azure AD and access the resources within your subscription.To complete this set up, you must have permissions to register an application with your Azure AD tenant, and assign the application to a role in your subscription. If you don't have the necessary permissions, ask your Azure AD or subscription administrator to create a Service Principal. See the table above for the required permissions. Copy the following details for use later in this workflow:
- Client ID—The Application ID associated with the Active Directory (On the Azure portal, click HomeAzure Active DirectoryApp registrations, select your application and copy the ID).
- Tenant ID—The Directory ID associated with the Active Directory (On the Azure portal, click HomeAzure Active DirectoryPropertiesDirectory ID, select the application and copy the ID).
- Azure Subscription ID—The Azure subscription in which you have deployed the firewalls. You must login to your Azure portal to get this subscription ID.
- Resource Group Name— The resource group name in which you have deployed the firewalls that you want to configure as HA peers. Both firewalls must be in the same resource group.
- Secret Key—The authentication key associated with the Active Directory application (On the Azure portal, click HomeAzure Active DirectoryCertificates & secrets, copy the Value under Client secrets. If you do not have a Secret Key, create one first, then copy the value). To log in as the application, you must provide both the key value and the Application ID.
- Know where to get the templates you need to deploy the
VM-Series firewalls within the same Azure Resource Group.For an HA configuration, both HA peers must belong to the same Azure Resource Group. If you deploy the first instance of the firewall from the Azure Marketplace, and must use your custom ARM template or the Palo Alto Networks sample GitHub template for deploying the second instance of the firewall into the existing Resource Group. The reason you need a custom template or the Palo Alto Networks sample template is because Azure does not support the ability to deploy the firewall in to an Resource Group that is not empty.Copy the deployment information for the first firewall instance. For example:
- Match the VM Name of VM-Series firewall as shown in the screenshot above with the Hostname on the firewall web interface. You must add the same name on DeviceSetupManagement, because the hostname of the firewall is used to trigger failover.
- Plan the network interface configuration on the VM-Series
firewalls on Azure. To set up HA, you must deploy both HA peers within the same Azure Resource Group and both firewalls must have the same number of network interfaces. A minimum of four network interfaces is required on each HA peer:
- Management interface (eth0)—Private and public IP address associated with the primary interface. The public IP address enables access to the firewall web interface and SSH access.You can use the private IP interface on the management interface as the HA1 peer IP address for the control link communication between the active/passive HA peers. If you want a dedicated HA1 interface, you must attach an additional network interface on each firewall, and this means that you need five interfaces on each firewall.
- Untrust interface (eth1/1)—Primary private IP address with /32 netmask.On failover, when the passive peer transitions to the active state, the VM-Series plugin automatically sends traffic to the primary private IP address of the passive peer. The Azure UDRs enable the traffic flow.
- Trust interface (eth1/2)—Primary private IP address. On failover, when the passive peer transitions to the active state, the VM-Series plugin automatically sends traffic to the primary private IP address of the passive peer.
- HA2 (eth 1/3)—Primary private IP address. The HA2 interface is the data link that the HA peers use for synchronizing sessions, forwarding tables, IPSec security associations and ARP tables.
Interface Active firewall peer Passive firewall peer Description HA2 Add a NIC to the firewall from the Azure management console. Add a NIC to the firewall from the Azure management console. On the active and passive peers, add a dedicated HA2 link to enable session synchronization.The default interface for HA1 is the management interface, and you can opt to use the management interface instead of adding an additional interface to the firewall. For enabling data flow over the HA2 link, you need to add an additional network interface on the Azure portal and configure the interface for HA2 on the firewall.
Configure Active/Passive HA on the VM-Series Firewall on Azure
In this workflow, you deploy the first instance
of the VM-Series firewall using the VM-Series firewall solution
template in the Azure marketplace, and the second instance of the
firewall using the sample GitHub template.
The
authentication key (client secret) associated with the Active Directory
application required for setting up the VM-Series firewall in an
HA configuration, is encrypted with VM-Series plugin version 1.0.9
on the firewall and on Panorama. Because the key is encrypted in VM-Series
plugin version 1.0.9, you must install the same version of the plugin
on Panorama and the managed VM-Series firewalls in order to centrally
manage the firewalls from Panorama.
- Deploy the VM-Series
firewall using a solution template and set up the network
interfaces for HA.For securing east west traffic within an Azure VNet, you only need a primary IP address for the trust and untrust firewall interfaces. When a failover occurs, the UDR changes and the route points to the primary IP address of the peer that transitions to the active state.
- Add a Primary IP configuration to the trust interface of the active firewall peer.In this workflow, this firewall will be designated as the active peer. The active HA peer has a lower numerical value for device priority that you configure as a part of the HA configuration on the firewall, and this value indicates a preference for which firewall assumes the role of the active peer.
- Add a Primary IP configuration to the untrust interface of the active firewall peer.
- Attach a network interface for the HA2 communication between the firewall HA peers.
- Add a subnet within the virtual network.
- Set up your route table on Azure.Create a route to the Next hop of Primary IP address of the trust and untrust interfaces of the active firewall peer.After failover, the next hop for the Database server to Frontend server route will change from 10.9.2.5 to 10.9.2.4. Similarly, the next hop of Frontend server to Database server route will change from 10.9.1.5 to 10.9.1.4.
- Configure the interfaces on the firewall.Complete these steps on the active HA peer, before you deploy and set up the passive HA peer.
- Log in to the firewall web interface.
- Configure ethernet 1/1 as the untrust interface and
ethernet 1/2 as the untrust interface.Select NetworkInterfaces and configure as follows:
- Configure ethernet 1/3 as the HA interface.To set up the HA2 link, select the interface and set Interface Type to HA. Set link speed and duplex to auto.
- Configure the VM-Series plugin to authenticate to the
Azure resource group in which you have deployed the firewall.Set up the Azure HA configuration on the VM-Series plugin.To encrypt the client secret, use the VM-Series plugin version 1.0.4 or later. If using Panorama to manage your firewalls, you must install the VM-Series plugin version 1.0.4 or later.
- Select DeviceVM-Series to enable programmatic access between the firewall plugin and the Azure resources.
- Enter the Client ID. The client ID is the Application ID associated with your Azure Active Directory application.
- Enter the Client Secret and re-enter it to confirm.
- Enter the Tenant ID. The tenant ID is the Directory ID you saved when you set up the Active Directory application.
- Enter the Subscription ID for the Azure subscription you want to monitor.
- Enter the Resource Group name.
- (For Azure Stack deployments only) Enter the Resource Mgr Endpoint URL.This field is available in VM-Series plugin 2.1.2 and later.
- Click Validate to verify that the keys and IDs you entered are valid, and that VM-Series plugin can successfully communicate with the Azure resources using the API.
- Enable HA.
- Select DeviceSetupHA.
- Enter Peer HA1 IP address as the private IP address of the passive peer.
- (Optional) Edit the Control Link (HA1). If you do not plan to use the management interface for the control link and have added an additional interface (for example ethernet 1/4), edit this section to select the interface to use for HA1 communication.
- Edit the Data Link (HA2) to use Port ethernet 1/3 and add the IP address of this peer and the Gateway IP address for the subnet.
- Commit the changes.
- Set up the passive HA peer within the same Azure Resource
Group.
- Deploy the second instance of the firewall.
- Download the custom template and parameters file from GitHub.
- Log in to the Azure Portal.
- Search for custom template and select Deploy from a custom template.
- Select Build your own template in the editorLoad file.
- Select the azuredeploy.json that you downloaded earlier, and Save.
- Complete the inputs, agree to the terms and Purchase.Make sure to match the following inputs to that of the firewall instance you have already deployed— Azure subscription, name of the Resource Group, location of the Resource Group, name of the existing VNet into which you want to deploy the firewall, VNet CIDR, Subnet names, Subnet CIDRs, and start the IP address for the management, trust and untrust subnets.
- Repeat Step 1and Step 2to set up the interfaces and configure the firewall as the passive HA peer.
- Skip Step 3 and complete Enable HA (Step 5). In Step 4 modify the IP addresses as appropriate for this passive HA peer.
- Deploy the second instance of the firewall.
- After you finish configuring both firewalls, verify that
the firewalls are paired in active/passive HA.
- Access the Dashboard on both firewalls, and view the High Availability widget.
- On the active firewall, click the Sync to peer link.
- Confirm that the firewalls are paired and synced, as shown as follows:
- On the passive firewall: the state of the local firewall should display passive and the Running Config should show as synchronized.
- On the active firewall: The state of the local firewall should display active and the Running Config should show as synchronized.
- On the passive peer, verify that the VM-Series plugin configuration is now synced.Select DeviceVM-Series and validate that you can view the Azure HA configuration that you had omitted configuring on the passive peer.