Configure an NGFW Cluster

Before you configure an NGFW cluster, perform the following prerequisites:

Confirm that Panorama and the PA-7500 Series firewalls that you will assign to an NGFW cluster are all running the same software version (PAN-OS 11.1.3 or a later 11.1 release).
Install Panorama Clustering Plugin 2.0.0 if you are using PAN-OS 11.1.3; refer to Install Panorama Plugins. For subsequent PAN-OS releases, you must install a compatible Panorama Clustering Plugin release. Also refer to Panorama Plugin for Clustering in the VM-Series and Panorama Plugin Release Notes.
Be familiar with Panorama tasks, such as managing devices and creating templates, template stacks, and device groups.
Add the two PA-7500 Series firewalls as managed devices of Panorama so that they are communicating with each other over the management interface. Confirm by selecting
Panorama
Managed Devices
Summary
, and verify the two firewalls (nodes) have an IP address on their management interface and the Device State is Connected.
Connect the PA-7500 Series firewalls back-to-back with 100G or 400G HSCI-A and HSCI-B links. (Verify the connections on each firewall by using the CLI command
show interface all
to see the hsci-a and hsci-b interfaces.)
Familiarize yourself with NGFW Clusters.

The steps in the example task to configure an NGFW cluster are based on this topology example of two MC-LAGs. The orange links connected to Node 1 and Node 2 on the client side belong to AE1 (an MC-LAG). The orange links connected to Node 1 and Node 2 on the server side belong to AE2 (another MC-LAG). Traffic from the client at 4.1.7.100 goes to the switch and is then divided between the two ingress AE1 interfaces and then egress the two AE2 interfaces to the switch, and then over the orange link to the server at 4.1.8.200.

The grey links connected Node 1 and Node 2 are orphan ports. Traffic from the client at 4.1.1.100 goes to the switch, to Node 1, across an HSCI interface to Node 2, egresses Node 2 to the switch, and then to the server at 4.1.2.100.

Log in to the Panorama Web Interface.
Create an NGFW cluster.
Select
Panorama
Firewall Clusters
Create Cluster
.
Enter a
Cluster Name
containing zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces.
Select
Cluster Type
as
PA
.
Click
OK
.
Add the firewalls to the cluster.
Select
Panorama
Firewall Clusters
Summary View
and select the cluster you created.
Enter a
Group ID
in the range 1 to 63; default is 1.
Select the two PA-7500 Series firewalls to assign to the cluster. The first firewall you select automatically becomes Node 1.
Click
OK
.
View the firewalls in the cluster by selecting
Panorama
Firewall Clusters
Summary View
and selecting the cluster you created. The
General
tab displays non-configurable fields: Device serial number and Node ID (1 or 2). Click
OK
to close the window.
Select
Commit to Panorama
and
Commit
. Both firewalls are rebooted and get assigned a Node ID, the existing configuration (policy, network, etc.) is cleared, and the firewalls are connected back to Panorama.
Select
Push to Devices
, select
Push All Changes
, select the newly created firewall cluster, and
Push
.
Verify the cluster state and node state.
Access the CLI.
>
show cluster leader
>
show cluster local node-id
>
show cluster local state
>
show cluster all
>
exit
Log in to the Panorama Web Interface.
View the Config Sync Status.
Select

Panorama

Firewall Clusters

Summary View

and select

PA-Series

.

View the Config Sync Status. After the Commit All is successful, the firewalls have a Config Sync Status of In Sync.
Add a cluster template.
Select

Panorama

Templates

and

Add

a template.

Enter a

Name

and

Description

of the template.

Enable clustering

. You must enable clustering when you first create the template; you can't go back to enable clustering later.

Click

OK

.
Create a template stack.
Select

Panorama

Templates

Add Stack

.

Enter a

Name

for the template stack.

In the Devices section, select the two firewalls in the cluster.

In the Templates section,

Add

the template you created.

Enable clustering

. You must enable clustering when you first create the template stack; you can't go back to enable clustering later. (If you don't

Enable clustering

for the template stack now, it won't match the template and an Operation Failed message appears.)

Click

OK

.
Add a device group.
Select
Panorama
Device Groups
Add
.
Enter a
Name
for the device group.
In the Devices section, select the Names of the two firewalls in the cluster.
In the Reference Templates section,
Add
the template stack that you created.
Click
OK
.
Commit to Panorama
and
Commit
to apply your configuration in Panorama.
(
Two-node cluster only
) Verify that the Management interface permits the same IP addresses on the two nodes. The firewalls use the Management interface to exchange heartbeats to detect and avoid a split brain situation.
Select

Device

Setup

Interfaces

.

In the Template field, select your template.

Select the

Management

interface.

If you added

Permitted IP Addresses

on one of the nodes, you must also permit the same IP addresses on the peer node. Each node must be able to reach the Management interface of the peer node. (If you deny the IP address or network of the peer, split brain detection won't work.)

Click

OK

.
Configure the template.
Select
Network
In the Template field, select your template.
To configure the orphan port, configure a Layer 3 interface on the firewall that connects to the client.
Select
Network
Interfaces
Cluster Ethernet
and
Add Interface
.
Select the
Node ID
(1 for this example).
Select the
Slot
(Slot 4).
Select the
Interface Name
, for example, node1:ethernet4/6.
Select the
Interface Type
as
Layer3
.
On the
Config
tab, create a
Logical Router
by adding a
Name
; click
OK
.
Create a
Security Zone
, such as client.
Select
IPv4
, select the
Type
as
Static
, for example, and
Add
the IPv4 address with netmask (4.1.1.1/24 in this example).
Alternatively, select
IPv6
,
Enable IPv6 on the interface
, select the
Type
as
Static
, and
Add
the IPv6 Address with network prefix length. This task example uses static IP addressing; DHCP, DHCPv6, PPPoE, and PPPoEv6 are also supported.
Select the
Advanced
tab and then the
Other Info
tab.
For
Management Profile
, create a new Interface Management profile to allow access to the interface. Select the management and network services allowed (such as HTTPS, SSH, and Ping) and click
OK
.
Click
OK
.
Configure the other orphan port on node 2, Slot 2, node2:ethernet2/19, using IP address 4.1.2.1/24 for the interface that faces the server. Create a different Security zone. The grey path in the example topology is configured.
Configure the AE interface (MC-LAG) for the client-facing interface on Node 1.
Select
Network
Interfaces
Cluster Ethernet
and
Add Aggregate Group
.
For
Interface Name
, next to ae, enter the interface number (in this example, 1).
Select
Interface Type
as
Layer3
.
On the
Config
tab, select the same
Logical Router
.
Select the
Security Zone
.
Click
OK
.
Select
IPv4
, select the
Type
as
Static
, and
Add
the IPv4 address with netmask (4.1.7.1/24 in this example).
(
Optional
) Configure LACP settings if you want to enable LACP for the aggregate group.
Select the
Advanced
tab and then the
Other Info
tab.
For
Management Profile
, create a new Interface Management profile to allow access to the interface. Select the services allowed and click
OK
.
Click
OK
.
Configure the AE interface (MC-LAG) for the server-facing interface for Node 1. For this interface, follow similar substeps as in the prior step, but configure AE2, add the IP address (4.1.8.1/24), the same logical router, and a server
Security zone
.
Add an interface member to the MC-LAG on the client side.
Select
Network
Interfaces
Cluster Ethernet
and
Add Interface
.
On the Cluster Ethernet Interface, select the
Node ID
Node 1.
Select the
Slot
(Slot 2).
Select the
Interface Name
, for example, node1:ethernet2/1.
Select the
Interface Type
as
Aggregate Ethernet
.
Select the
Aggregate Group
, such as ae1.
Click
OK
.
Add a second interface member to the MC-LAG on the client side, assigning
Node ID
as Node 2, Slot 2, node2:ethernet2/11. Select the same
Aggregate Group
(ae1).
Add an interface member to the MC-LAG on the server side. Select Node 1, Slot 4, node1:ethernet4/16. Select the
Aggregate Group
, ae2.
Add a second interface member to the MC-LAG on the server side, assigning it to Node 2, Slot 6, node2:ethernet6/16. Select the
Aggregate Group
, such as ae2.
Create Security policy rules.
Select
Policies
and select the Device Group.
Create Security policy rules to control access, such as allowing a specific source zone, destination zone, address, user, device, application, and service.
Configure routing and other features your firewalls require (except for HA, of course). Refer to the PAN-OS Administrator's Guide and the PAN-OS Networking Administrator's Guide.
Configure system monitoring for the NGFW cluster.
Select
Panorama
Firewall Clusters
Summary View
and select a cluster or a single firewall in the cluster.
Select
System Monitoring
.
Select the
State Upon Capacity Loss
:
degraded
—Specifies that the firewall will be in a DEGRADED state if the count of functional network cards or data processing cards goes below the configured Minimum Network Cards or Minimum Data Processing Cards, respectively. Furthermore:
A cluster node in DEGRADED state has traffic ports down, but is still a part of sharded (fragmented) member table.
Data processing card resources of a DEGRADED cluster node can be used to process traffic and for Layer 7 processing.
A cluster node in INIT or ONLINE state transitions to DEGRADED state when a soft fault is reported to the cluster node state machine.
A cluster node in ONLINE state transitions to DEGRADED state (and a node in DEGRADED state remains in DEGRADED state) if you suspend the cluster node after a delay (using the CLI operational command:
request cluster node state suspend
). A delay allows data planes to gracefully complete L7 processing or other processes that were underway.
If all soft faults are cleared, the cluster node transitions to INIT state.
If a hard fault occurs, a cluster node in DEGRADED state transitions to FAILED state.
A cluster node in DEGRADED state transitions to SUSPENDED state if the maximum number of state flaps is seen or you suspend the cluster node.
If a chassis has no functional data processing cards remaining (all DPC slots are powered off or in a FAILED state), the cluster node state will be FAILED, even if you configured
degraded
, because having no functional DPC is a hard fault.
failed
—Specifies that the firewall will be in a FAILED state if the count of functional network cards or data processing cards goes below the configured Minimum Network Cards or Minimum Data Processing Cards, respectively. Furthermore:
A cluster node in FAILED state has traffic ports down and isn't part of sharded member table.
Data processing card resources of a FAILED cluster node can't be used to process traffic or for Layer 7 processing.
A cluster node in INIT, ONLINE, or DEGRADED state transitions to FAILED state when a hard fault is reported to the cluster node state machine.
A cluster node in FAILED state transitions to INIT state if all hard faults are cleared.
A cluster node in FAILED state transitions to SUSPENDED state if the maximum number of state flaps is seen or you suspend the cluster node.
NGFW Clusters provides a list of hard faults and soft faults.
In the Minimum Chassis Capacity Required section, enter the
Minimum Network Cards
required; range is 1 to 7, default is 1. When fewer Network Cards than the configured value are functional, the firewall in the cluster goes to the State Upon Capacity Loss that you configured (degraded or failed).
Enter the
Minimum Data Processing Cards
required; range is 1 to 7, default is 1. When fewer Data Processing Cards than the configured value are functional, the firewall in the cluster goes to the State Upon Capacity Loss that you configured (degraded or failed).
Click
OK
.
(
Optional
) Configure Log Forwarding for the PA-7500 Series firewall.
Push the configuration from Panorama to the PA-7500 Series firewalls in the cluster.
Commit
and
Commit and Push
and
Commit
.
Commit
and
Push to Devices
,
Push All Changes
, select the cluster, and
Push
the configuration to both nodes.
View NGFW cluster information for an individual firewall on its Dashboard.
Log onto an individual PA-7500 Series firewall (not Panorama).

Select

Dashboard

and for Widgets, select

System

Firewall Cluster

to view the Firewall Cluster card, which displays the Cluster Name and Node ID.
View NGFW Cluster Summary and Monitoring information and health for the cluster.