VM-Series Deployment Guide
    : Configure Active/Passive HA on OCI
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set up the VM-Series Firewall on Oracle Cloud Infrastructure
    5. Configure Active/Passive HA on OCI
    Download PDF

    VM-Series Deployment Guide

    Configure Active/Passive HA on OCI

    Table of Contents

    Configure Active/Passive HA on OCI

    You can configure a pair of VM-Series firewalls on OCI in an active/passive high availability (HA) configuration. To ensure uptime in an HA setup on OCI, you must create a secondary, floating IP addresses that can quickly move from one peer to the other. When the active firewall goes down, the floating IP address moves from the active to the passive firewall so that the passive firewall can seamlessly secure traffic as soon as it becomes the active peer. In addition to the floating IP address, the HA peers also need HA links—a control link (HA1) and a data link (HA2)—to synchronize data and maintain state information.
    The VM-Series firewall for OCI in FIPS mode does not support high availability.
    To allow the firewalls to move the floating IP address upon failover, you must place the firewall instances in a dynamic group on OCI. Dynamic groups allow you to group the firewall instances as principal actors and create policy to allow the instances in the dynamic group to make API calls against OCI services. You will use matching rules to add the HA peer instances to the dynamic group and then create the policy the floating IP from one VNIC to another.
    Both VM-Series firewalls in the HA pair must have the same number of network interfaces. Each firewall requires a minimum of four interfaces—management, untrust, trust, and HA. You can configure additional data interfaces as required by your deployment.
    • Management interface—the private and public IP addresses associated with the primary interface. You can use the private IP address on the management interface as the IP address for the HA1 interface between the peers. If you want a dedicated HA interface, you must attach an additional interface to each firewall, for a total of five interfaces each.
    • Untrust and trust interfaces—each of these data interfaces on the active HA peer require a primary and secondary IP address. Upon failover, when the passive HA peer transitions to the active state, the secondary private IP address is detached from the previously active peer and attached to the now active HA peer.
    • HA2 interface—this interface has a single private IP address on each HA peer. The HA2 interface is the data link peers use to synchronize sessions, forwarding tables, IPsec security associations, and ARP tables.
    1. Deploy the VM-Series Firewall From the Oracle Cloud Marketplace and set up the network interfaces for HA.
      1. (Optional) Configure a dedicated HA1 interface on each HA peer.
        1. From the OCI Console, select ComputeInstances and click on the name of your active peer instance.
        2. Select Attached VNICs and click Create VNIC.
        3. Enter a descriptive name for your HA1 interface.
        4. Select the VCN and subnet.
        5. Enter a private IP address.
        6. Click Create VNIC.
        7. Repeat this process on your passive peer instance.
      2. Configure an HA2 interface on each HA peer.
        1. From the OCI Console, select ComputeInstances and click on the name of your active peer instance.
        2. Select Attached VNICs and click Create VNIC.
        3. Enter a descriptive name for your HA2 interface.
        4. Select the VCN and subnet. The HA2 interface should be on a separate subnet from your data interfaces.
        5. Enter a private IP address.
        6. Click Create VNIC.
        7. Repeat this process on your passive peer instance.
      3. Add a secondary IP address to your dataplane interfaces on the active peer.
        1. From the OCI Console, select ComputeInstances and click on the name of your active peer instance.
        2. Select Attached VNICs and click on your untrust VNIC.
        3. Select IP Addresses and click Assign Private IP Address.
        4. Enter the IP address and click Assign.
        5. Repeat this procedure for each dataplane interface on your active peer.
    2. Create security rules to allow the HA peers to synchronize data and maintain state information. By default, OCI allows ICMP traffic only. You must open the necessary HA ports.
      1. Open the ports for your HA1 interface.
        1. From the OCI Console, select NetworkingVirtual Cloud Networks and select your VCN.
        2. Select Subnets and select the subnet containing your HA1 interface.
        3. Select Security Lists and click the default security list to edit it.
        4. Click Add Ingress Rule.
        5. Enter the Source CIDR that includes the HA peer HA1 port IP address.
        6. Select TCP from the IP Protocol drop-down.
        7. Click +Additional Ingress Rule. You need to create two additional rules for TCP ports 28260 and 28769.
        8. If encryption is enabled on your VM-Series firewall for the HA1 link, create an additional rules for ICMP and TCP port 28.
        9. Click Add Ingress Rules.
      2. Open the ports for your HA2 interface.
        1. From the OCI Console, select NetworkingVirtual Cloud Networks and select your VCN.
        2. Select Subnets and select the subnet containing your HA2 interface.
        3. Select Security Lists and click the default security list to edit it.
        4. Click Add Ingress Rule.
        5. Enter the Source CIDR that includes the HA peer HA2 port IP address.
        6. Select UDP or IP from the IP Protocol drop-down.
        7. If the transport mode is UDP, enter 29281 into Source Port Name. If the transport mode is IP, enter 99 into Source Port Name.
        8. Click Add Ingress Rules.
    3. Add both HA peers to a dynamic group and create policy that allows the HA peers to move the floating IP address. You must have the OCID of each HA peer instance to build the dynamic group matching rules, so have those on hand to past into the rule builder.
      1. Create the dynamic group.
        1. From the OCI Console, select IdentityDynamic GroupsCreate Dynamic Group.
        2. Enter a descriptive Name for your dynamic group.
        3. Click Rule Builder.
        4. Select Any of the following rules from the first drop-down.
        5. Select Match instances with ID: from the Attributes drop-down and paste one of the peer OCIDs into the Value field.
        6. Click +Additional Line.
        7. Select Match instances with ID: from the Attributes drop-down and paste the other peer OCID into the Value field.
        8. Click Add Rule.
        9. Click Create Dynamic Group.
      2. Create the policy rule.
        1. From the OCI Console, select IdentityPoliciesCreate Policy.
        2. Enter a descriptive Name for your policy.
        3. Enter the first policy statement.
          Allow dynamic-group <dynamic_group_name> to use virtual-network-family in compartment <compartment_name>
        4. Click +Another Statement.
        5. Enter the second policy statement.
          Allow dynamic-group <dynamic_group_name> to use instance-family in compartment <compartment_name>
        6. Click Create.
    4. Configure the interfaces on the firewall. You must configure the HA2 data link and at least two Layer 3 interfaces for your untrust and trust interfaces. Complete this workflow on the first HA peer and then repeat the steps on the second HA peer.
      1. Log in to the firewall web interface.
      2. (Optional) If you are using the management interface as HA1, you must set the interface IP Type to static and configure a DNS server.
        1. Select DeviceSetupInterfacesManagement.
        2. Set the IP Type to Static.
        3. Enter the private IP address of the primary VNIC of your VM-Series firewall instance.
        4. Click OK.
        5. Select DeviceSetupServices.
        6. Click Edit.
        7. Enter the IP address of the Primary DNS Server.
        8. Click OK.
        9. Commit your changes.
      3. Select NetworkInterfacesEthernet and click on your untrust interface. In this example, the HA2 interface is 1/1, the trust interface is ethernet 1/2, and the untrust interface is ethernet 1/3.
      4. Click the link for ethernet 1/1 and configure as follows:
        • Interface Type: HA
      5. Click the link for ethernet 1/2 and configure as follows:
        • Interface Type: Layer3
        • On the Config tab, assign the interface to the default router.
        • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example trust-zone, and then click OK.
        • On the IPv4 tab, select either Static.
        • Click Add in the IP section and enter the primary IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your trust zone, make sure you assign the trust vNIC IP address configured in your VCN.
        • Click Add in the IP section and enter the secondary, floating IP address and network mask.
      6. Click the link for ethernet 1/3 and configure as follows:
        • Interface Type: Layer3
        • On the Config tab, assign the interface to the default router.
        • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example untrust-zone, and then click OK.
        • On the IPv4 tab, select either Static.
        • Click Add in the IP section and enter the primary IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address configured in your VCN.
        • Click Add in the IP section and enter the secondary, floating IP address and network mask.
    5. Enable HA.
      1. Select DeviceHigh AvailabilityGeneral.
      2. Edit the Setup settings.
      3. Enter the private IP address of the passive peer in the Peer HA1 IP address field.
      4. Click OK.
      5. (Optional) Edit the Control Link (HA1). If you do not plan to use the management interface for the control link and have added an additional interface (for example ethernet 1/4), edit this section to select the interface to use for HA1 communication.
      6. Edit the Data Link (HA2) to use Port ethernet 1/1 and add the IP address of active peer and the Gateway IP address for the subnet.
      7. Select IP or UDP from the Transport drop-down. Ethernet is not supported.
      8. Click OK.
    6. Commit your changes.
    7. Repeat step 4 and step 5 on the passive HA peer.
    8. After your finish configuring HA on both firewalls, verify that the firewalls are paired in active/passive HA.
      1. Access the Dashboard on both firewalls and view the High Availability widget.
      2. On the active HA peer, click Sync to peer.
      3. Confirm that the firewalls are paired and synced.
        • On the passive firewall: the state of the local firewall should display Passive and the Running Config should show as Synchronized.
        • On the active firewall: the state of the local firewall should display Active and the Running Config should show as Synchronized.

    © 2024 Palo Alto Networks, Inc. All rights reserved.