Deploy the HSF Cluster

1. Enter the following details in the vCenter Info pop-up:

   1. Name - Name of the vCenter.
   2. Description - Description of the vCenter.
   3. IP Address/FQDN - IP address of the vCenter.
   4. Username
   5. Password
   6. Confirm Password
   7. Click Validate to check if the entered credentials are valid for HSF deployment and if the vCenter is accessible. Alternatively, you can also check the validity of the vCenter under the Deployment Permissions section of the vCenter page.
   8. Click OK and commit.
2. Navigate to Panorama > SWFW Orchestration > Deployments. Click Add.

   1. Click VM HSF Cluster Details and enter the following details:

      1. VM-HSF Cluster Name - Name of the HSF cluster.
      2. Description - Description of the HSF cluster.
      3. vCenter - Choose the relevant vCenter on which you wish to deploy your HSF cluster.

   2. Click OK.
3. Click Discover Servers and configure the AI-Gateways.

   You can deploy a maximum of four AI-Gateways and six AI-DP firewalls.

   1. vSphere Cluster - Choose the vSphere Cluster in which you wish your gateway to reside in.
   2. Datastore - Choose the necessary datastore you wish to store your data in. Each VM will have a default storage of 60GB. Datastore can be shared datastore or local datastore. For local datastore, create a local datastore with the same name across all hosts within the vSphere cluster.
   3. Discovered Servers - Verify the FQDN/IP Address, VCPU, and Memory of the selected server.

      • The discover servers table is a ready only table which displays the servers available in the chosen vsphere cluster along with its corresponding details such as memory, vCPU and so on.
      • Ensure that the AI-Gateway node memory is at least twice the AI-DP node memory.
   4. Size AI-Gateways - Enter the Number of vCPUs and memory you wish to allocate to your gateway.

      It is recommended that the size of the AI-Gateways be twice that of the AI-DP.
   5. Place AI-Gateways - The node ID (Unique Identifier of the node in a cluster) of the gateway that you wish to associate your cluster with.
      1. Autoplace - Plugin does the auto-placement of the server on which the VM will be associated with.
      2. IP address of the desired server - manual selection of the server to which you wish the VM to be associated with.
         If you select multiple gateways for deployment, then you cannot choose a mix of autoplace or desired host.
   6. Click OK after all the tabs are configured.
4. Click AI-DP and configure the following:

   1. vSphere Cluster - Choose the vSphere Cluster in which you wish your AI-DP to reside in.
   2. Datastore - Choose the necessary datastore you wish to store your data in. Each VM will have a default storage of 60GB. Datastore can be shared datastore or local datastore. For local datastore, create a local datastore with the same name across all hosts within the vSphere cluster.
   3. Discovered Servers - Verify the FQDN/IP Address, VCPU, and memory of the selected server.

      The discover servers table is a ready only table which displays the servers available in the chosen vsphere cluster along with its corresponding details such as memory, vCPU and so on.
   4. Size AI-DP - Enter the Number of vCPUs, memory (a minimum of 8GB memory is required), and the number of AI-DP firewalls you wish to allocate. These AI-DP firewalls will be deployed as part of the initial deployment.

      It is recommended that the vCPU and Memory of the AI-DP be half of the vCPU and Memory of the AI-Gateway.
5. Click Map Interfaces and configure the interfaces for AI-Gateways.

   1. Click Add under the AI-Gateways tab.
   2. Enter a Profile name.
      • Each VM can have 10 interfaces out of which the VM-MGMT, VM-CNTRL, and ethernet 1/1 interfaces are mandatory. The rest of the interfaces can be configured as per your requirement
      • Refrain from deleting an interface profile that is currently in use by existing nodes within the Software Firewall orchestration plugin configuration. Ascertain which profile is assigned to each node in the cluster by viewing the firewall details section under the deployment details status.
      • If you don’t have enough servers within a chosen vSphere cluster and you need to have multiple gateways on the same server, then you will need to configure multiple profiles on the same server. For example, if you wish to deploy 2 gateways and have only 1 host within your vSphere cluster, then create 2 profiles on that host and configure gateway1 with profile1 and gateway2 with profile2.
   3. For all external interfaces, the plugin automatically generates dummy placeholder port groups and virtual standard switches, and interfaces mapped to NA connect to these. For vmxnet3, select the appropriate port group for each interface. You can retain NA for unconfigured external interfaces, which will connect to the dummy port groups.
   4. Select the required Port Group from the drop down. These are the port groups present in the selected vCenter.
   5. (optional) Select the SRIOV Adapter from the drop down.
      It is mandatory that you add the SRIOV as the last interface and all of them must be added continuously one after the other. For example, if the sixth interface is SRIOV then all the interfaces that follow should be SRIOV. For SRIOV, select both the port group and the SRIOV adapter, adding SRIOV interfaces in ascending order (for example, eth1/8 first) due to an ESXi limitation that groups all vmxnet3 interfaces before SRIOV. In mixed mode, VMXNET3 interfaces precedes SRIOV. All SRIOV adapters must be at the end, as the plugin doesn't support placing them between VMXNET3 adapters. The validate button confirms correct SRIOV placement.
6. Click the AI-DP tab and click Add.

   AI-DP does not have external interfaces.

   1. Enter a Profile name in the Interface Profile window.
   2. Select the desired Port Group and SRIOV Adapter for VM-MGMT, VM-CNTRL, and ethernet 1/1 interfaces.
   3. For vmxnet3, choose the corresponding port group for each interface.
      SRIOV interfaces must be added from bottom up. For example, the first SRIOV interface should be eth1/8. For mixed mode, the vmxnet3 comes first in the order and followed by SRIOV interfaces.
   4. Use the validate button to validate the SRIOV order placement.
   5. Click OK.
7. Click Bootstrap Cluster and configure the following bootstrap information for the VM.

   1. Enter the Primary Panorama IP address.
   2. Enter the Secondary Panorama IPaddress, if you have high availability configured in your setup.
   3. Select either New or Existing Device Group Type.
   4. Select a Cluster Template. The template should either be the default template or the clone of the default template.

      1. For vmxnet3, choose plugin created fixed template - AI-HSF-CLUSTERING-DO-NOT-MODIFY
      2. For the SRIOV interface, clone and modify the fixed template and choose that.
   5. Choose a policy template for external interfaces and policies.
   6. (optional) Select a Log Collector Group Type.
   7. Choose to Enable or Disable Jumbo Frame.
   8. Enter the Licensing Authorization Code.

      Authcode must have an HSF subscription.
   9. 1. Choose if the Management IP Type is DHCP Client or Static. If you choose Static, enter the following details:

         1. Default Gateway IP
         2. Netmask
         3. Subnet Address
         4. Primary DNS IP
         5. Secondary DNS IP
      2. You may choose to add Additional Bootstrap Parameters. For more information, see key-value pair.
      Click OK.

8. Click Autoscale Cluster and choose to Enable or Disable autoscaling.

   Autoscaling is supported for DP nodes and not for Gateway nodes within the HSF.

   1. Autoscaling Metric: session utilization percent is the only metric currently supported.
   2. Ensure that the MAx # of AI-DP is greater than the desired number of DP configured.
   3. If you choose to enable autoscaling, select the Autoscaling Metric as session_util and verify if the Scale-out Settings and Scale-in-Settings are set.

      Scale out time and Scale in time can be between 5-60 minutes. The default drain time is 5 mins and is allowed up to 60 mins.

   Click OK after all the tabs are configured.

9. Click Image and configure the image settings.

   Before you go ahead with configuring the image settings, ensure that you have uploaded your PA-VM OVA image to your vCenter Content Library.

   1. Select the vCenter Content Library in which you have uploaded your PA-VM OVA image.
   2. Select the Prisma AIRS AI Runtime firewall Image.

      The Rollback options are applicable only to upgrade scenarios.
   3. Click OK.

10. Click Commit. When the commit begins the Cluster Status changes to Not Deployed.

    1. Click the Deploy button. After the deployment is complete, the Cluster Status changes to Success, Warning, or Failure state. Click Update if you wish to make changes to an existing cluster deployment settings.
    2. After the deployment is complete the status can change to Success, Warning, or Failure.
    3. Click the Cluster Status link displayed against a cluster to get Deployment Status Details such as Firewall Details and Cluster Details.
    4. (optional) Click Undeploy if you wish to delete a cluster deployment.
    5. Click Update to modify or update an existing deployment.

    (optional) Click Recover to recover an existing HSF cluster deployment that's in Failure or Warning state after an Update is run on an existing HSF Cluster Deployment.