Configure Active/Passive HA on AWS

  1. Make sure that you have followed the prerequisites.
    For deploying a pair of VM-Series firewalls in HA in the AWS cloud, you must ensure the following:
    • Select the IAM role you created when launching the VM-Series firewall on an EC2 instance; you cannot assign the role to an instance that is already running. See IAM Roles for HA.
      For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, and defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation.
    • The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface.
      The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface.
      Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved —detached and then attached—to the now active (previously passive) firewall.
    • The HA peers must be deployed in the same AWS availability zone.
  2. Launch the VM-Series Firewall on AWS.
    IMPORTANT: If you are using the PAN-OS 8.0 AMI to deploy the VM-Series firewall on AWS, you must upgrade to 8.0.1 before you configure HA.
    1. Select DeviceSoftware, and click Check Now for latest updates.
    2. Download PAN-OS 8.0.1 (or later) version to upgrade.
    3. Install the update.
    4. After the installation successfully completes, reboot using one of the following methods:
      1. If you are prompted to reboot, click Yes.
      2. If you are not prompted to reboot, select DeviceSetupOperations and Reboot Device (Device Operations section).
  3. Enable HA.
    1. Select DeviceHigh AvailabilityGeneral, and edit the Setup section.
    2. Select Enable HA.
  4. Configure ethernet 1/1 as an HA interface. This interface must be used for HA2 communication.
    1. Select NetworkInterfaces.
    2. Confirm that the link state is up on ethernet1/1.
    3. Click the link for ethernet1/1 and set the Interface Type to HA.
      set_interface_as_HA.PNG
  5. Set up the Control Link (HA1) to use the management port.
    1. Select DeviceHigh AvailabilityGeneral, and edit the Control Link (HA1) section.
      HA_control_link.AWS.PNG
    2. (Optional) Select Encryption Enabled, for secure HA communication between the peers. To enable encryption, you must export the HA key from a device and import it into the peer device.
      1. Select DeviceCertificate ManagementCertificates.
      2. Select Export HA key. Save the HA key to a network location that the peer device can access.
      3. On the peer device, navigate to DeviceCertificate ManagementCertificates, and select Import HA key to browse to the location that you saved the key and import it in to the peer device.
  6. Set up the Data Link (HA2) to use ethernet1/1.
    1. Select DeviceHigh AvailabilityGeneral, edit the Data Link (HA2) section.
    2. Select Port ethernet1/1.
    3. Enter the IP address for ethernet1/1. This IP address must be the same that assigned to the ENI on the EC2 Dashboard.
    4. Enter the Netmask.
    5. Enter a Gateway IP address if the HA1 interfaces are on separate subnets.
    6. Select IP or UDP for Transport. Use IP if you need Layer 3 transport (IP protocol number 99). Use UDP if you want the firewall to calculate the checksum on the entire packet rather than just the header, as in the IP option (UDP port 29281).
      HA_data_link_AWS.PNG
    7. (Optional) Modify the Threshold for HA2 Keep-alive packets. By default, HA2 Keep-alive is enabled for monitoring the HA2 data link between the peers. If a failure occurs and this threshold (default is 10000 ms) is exceeded, the defined action will occur. A critical system log message is generated when an HA2 keep-alive failure occurs.
      You can configure the HA2 keep-alive option on both devices, or just one device in the HA pair. If you enable this option on one device, only that device will send the keep-alive messages.
  7. Set the device priority and enable preemption.
    Use this setting if you want to make sure that a specific device is the preferred active device. For information, see Device Priority and Preemption.
    1. Select DeviceHigh AvailabilityGeneral and edit the Election Settings section.
    2. Set the numerical value in Device Priority. Make sure to set a lower numerical value on the device that you want to assign a higher priority to.
      If both firewalls have the same device priority value, the firewall with the lowest MAC address on the HA1 control link will become the active device.
    3. Select Preemptive.
      You must enable preemptive on both the active and the passive device.
    4. Modify the failover timers. By default, the HA timer profile is set to the Recommended profile and is suited for most HA deployments.
  8. (Optional) Modify the wait time before a failover is triggered.
    1. Select DeviceHigh AvailabilityGeneral and edit the Active/Passive Settings.
    2. Modify the Monitor fail hold up time to a value between 1-60 minutes; default is 1 minute. This is the time interval during which the firewall will remain active following a link failure. Use this setting to avoid an HA failover triggered by the occasional flapping of neighboring devices.
  9. Configure the IP address of the HA peer.
    1. Select DeviceHigh AvailabilityGeneral, and edit the Setup section.
    2. Enter the IP address of the HA1 port on the peer. This is the IP address assigned to the management interface (ethernet 0/0), which is also the HA1 link on the other firewall.
    3. Set the Group ID number between 1 and 63. Although this value is not used on the VM-Series firewall on AWS, but cannot leave the field blank.
  10. Configure the other peer.
    Repeat steps 3 to 9 on the HA peer.
  11. After you finish configuring both devices, verify that the devices are paired in active/passive HA.
    1. Access the Dashboard on both devices, and view the High Availability widget.
    2. On the active device, click the Sync to peer link.
    3. Confirm that the devices are paired and synced, as shown below:
      • On the passive device: The state of the local device should display passive and the configuration is synchronized.
        HA_configured_passive.PNG
      • On the active device: The state of the local device should display active and the configuration is synchronized.
        HA_configured_passive.PNG
  12. Verify that failover occurs properly.
    1. Shut down the active HA peer.
      1. On the EC2 Dashboard, select Instances.
      2. From the list, select the VM-Series firewall and click ActionsStop.
    2. Check that the passive peer assumes the role of the active peer and that the dataplane interfaces have moved over to the now active HA peer.

Related Documentation