VM-Series Deployment Guide
    : Migrate Active/Passive HA on AWS to Secondary IP Mode
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall on AWS
    5. High Availability for VM-Series Firewall on AWS
    6. Migrate Active/Passive HA on AWS
    7. Migrate Active/Passive HA on AWS to Secondary IP Mode
    Download PDF

    VM-Series Deployment Guide

    Migrate Active/Passive HA on AWS to Secondary IP Mode

    Table of Contents

    Migrate Active/Passive HA on AWS to Secondary IP Mode

    Learn more about migrating between to secondary-IP from interface-move mode on the VM-Series firewall on AWS.
    Complete the following procedure to migrate your existing VM-Series firewall HA pair from interface-move HA to secondary-IP HA.
    Secondary IP Move HA requires VM-Series plugin 2.0.1 or later.
    1. Upgrade the VM-Series Plugin on the passive HA peer and then the active peer.
    2. Create secondary IP address for all data interfaces on the active peer.
      1. Log in to the AWS EC2 console.
      2. Select Network Interface and then choose then select your network interface.
      3. Select ActionsManage IP AddressesIPv4 AddressesAssign new IP.
      4. Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the VM-Series firewall.
      5. Click Yes and Update.
    3. Associate a secondary Elastic (public) IP address with the untrust interface of the active peer.
      1. Log in to the AWS EC2 console.
      2. Select Elastic IPs and then choose then select the Elastic IP address to associate.
      3. Select ActionsAssociate Elastic IP.
      4. Under Resource Type, select Network Interface.
      5. Chose the network interface with which to associate the Elastic IP address.
      6. Click Associate.
    4. Create a route table pointing the subnet containing the trust interface.
      1. Select Route TablesCreate route table.
      2. (Optional) Enter a descriptive Name tag for your route table.
      3. Select your VPC.
      4. Click Create.
      5. Select Subnet AssociationsEdit subnet associations.
      6. Select the Associate checkbox for the subnet containing the trust interface.
      7. Click Save.
    5. Update the IAM roles with additional actions and permissions required to migrate to secondary IP move HA.
      IAM Action, Permission, or ResourceDescription
      AssociateAddress
      For permissions to move public IP addresses associated with the primary IP addresses from the passive to active interfaces.
      AssignPrivateIpAddresses
      For permissions to move secondary IP addresses and associated public IP addresses from the passive to active interfaces.
      UnassignPrivateIpAddress
      For permissions to unassign secondary IP addresses and associated public IP addresses from interfaces on the active peer.
      DescribeRouteTables
      For permission to retrieve all route tables associated to the VM-Series firewall instances.
      ReplaceRoute
      For permission to update the AWS route table entries.
      GetPolicyVersionFor permission to retrieve AWS policy version information.
      GetPolicyFor permission to retrieve AWS policy information.
      ListAttachedRolePoliciesFor permission to retrieve the list of all managed policies attached to a specified IAM role.
      ListRolePoliciesFor permission to retrieve a list of the names of inline policies embedded in a specified IAM role.
      GetRolePolicyFor permission to retrieve a specified inline policy embedded in a specified IAM role.
      policy
      For permission to access the IAM policy Amazon Resource Name (ARN).
      role
      For permission to access the IAM roles ARN.
      route-table
      For permission to access the route table ARN.
      Wild card (*)
      In the ARN field use the * as a wild card.
    6. Create new interfaces (ENIs) on the passive firewall in the same subnet as the active firewall data interfaces.
      Do not assign secondary IP addresses to these new interfaces.
      1. Open the Amazon EC2 console.
      2. Select Network InterfacesCreate Network Interfaces.
      3. Enter a descriptive Name for your new interface.
      4. Under Subnet, select the subnet of the untrust interface of the active firewall.
      5. Under Private IP, leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the untrust interface of the active firewall.
      6. Under Security groups, select one or more security groups.
      7. Select Yes and Create.
      8. Select ActionsChange Source/Dest. Check and select Disable.
      9. Repeat these steps for the subnet of the trust interface of the active firewall.
    7. Attach the new ENIs to the passive firewall instance. You must attach these ENIs to the passive firewall in the correct order because the secondary IP HA method is based on the network interface index assigned by AWS. For example, if eth1/2 on the active firewall is part of subnet A and eth1/3 is part of subnet B, then you must attach the interface that is part of subnet A and the interface that is part of subnet B. In this example, AWS has assigned an index value of 2 to eth1/2 and a value of 3 to eth1/3. This indexing must be maintained for the failover to occur successfully.
      1. To attach the ENIs created above, select the untrust interface your created and click Attach.
      2. Select the Instance ID of the of the passive firewall and click Attach.
      3. Repeat these steps for the trust interface.
    8. Log into the passive and set the interfaces to get their IP addresses through DHCP.
      1. Log in to the passive VM-Series firewall web interface.
      2. Select NetworkInterfaces.
      3. Click on the first data interface.
      4. Select IPv4.
      5. Select DHCP Client.
      6. On the untrust interface only, select Automatically create default route pointing to default gateway provided by server.
      7. Click OK.
      8. Repeat this process for each data interface.
    9. If you have configure any NAT policies on the VM-Series firewall that reference the private IP addresses of the data interfaces, those policies must be updated to reference the newly assigned secondary IP addresses instead.
      1. Access the web interface of the active VM-Series firewall.
      2. Select PoliciesNAT.
      3. Click on the NAT policy rule to be modified and then Translated Packet.
      4. Under Translated Address, click Add and enter the secondary IP address created in AWS.
      5. Delete the primary IP address.
      6. Click OK.
      7. Repeat these steps as necessary.
      8. Commit your changes.
    10. Enable secondary IP HA failover mode.
      1. Access the VM-Series firewall CLI on the active peer.
      2. Execute the following command.
        request plugins vm_series aws ha failover-mode secondary-ip
      3. Commit your changes.
      4. Comfirm your HA mode by executing the following command.
        show plugins vm_series aws ha failover-mode
      5. Repeat this command on the passive peer.
    11. After your finish configuring HA on both firewalls, verify that the firewalls are paired in active/passive HA.
      1. Access the Dashboard on both firewalls and view the High Availability widget.
      2. On the active HA peer, click Sync to peer.
      3. Confirm that the firewalls are paired and synced.
        • On the passive firewall: the state of the local firewall should display Passive and the Running Config should show as Synchronized.
        • On the active firewall: the state of the local firewall should display Active and the Running Config should show as Synchronized.
      4. From the firewall command line interface, execute the following commands:
        • To verify failover readiness:
          show plugins vm_series aws ha state
        • To show secondary IP mapping :
          show plugins vm_series aws ha ips

    © 2024 Palo Alto Networks, Inc. All rights reserved.