palab

Small office requirement

  1. Set up PaloAlto1 and 2 to be active passive HA.
  2. Set up SW5 and SW6 as HSRP routers, vlan 100 towards the external and vlan 10 towards the internal.
  3. HSRP for vlan 10 and vlan 100.
  4. SW4 is a pure layer 2.
  5. PaloAlto HA must have NAT for internet

Configuration will be configured from Win7, R is an out of band switch for managing the devices.

Palo Alto limitation

the VM edition of PA has some limitation as compared to its appliance counterpart.

  1. The VM does not support aggregate ethernet group (lacp).
  2. Does not support multi-vsys.
  3. Only supports active-passive HA.
  4. Only HA1 (control link) and does not have HA2 (data link) as compared to the appliance.

PaloAlto1 and 2 mgmt interface

defaultpa1

both firewall will have the same mgmt ip address as shown above. The first step is to set the mgmt interface and use the web user interface to configure. Palo Alto has a very well design web user interface which makes configuration much easier than its command line counterpart.

defaultpa2.png

Do the same for PaloAlto2:

defaultpa3.png

Configuring Palo Alto active-passive failover

Assign eth1/1 and eth1/2 for HA.

Network > Interfaces, then click on eth1/1

ha1.png

Then click on eth1/2 and select HA. The end result looks like below.

ha2.png

Then configure the HA configuration by clicking on Device > High Availability.

ha3.png

Click on the “gear” icon on Setup.

ha4.png

Set to group 1, both peers must be in the same group.

ha5

The default HA1 port is management port, however for this scenario the port has to be changed to eth1/1, and eth1/2 will be the backup port.

ha6

ha7.png

ha8

ha9.png

I want PaloAlto1 to be the active firewall in the HA setup, lower priority wins the active election, if both firewall has the same priority the lowest mac address will be elected.

ha10

ha11.png

Similar steps will be applied for PaloAlto2, there are some slight difference like the HA1 and its backup ip address and the election settings priority will be the default. Preemptive have to be enabled on active and passive firewall for the active role take over.

ha12.png

ha13.png

We can verify the HA configuration by going to the Dashboard and enabled the high availability widget.

ha14

ha15.png

ha16ha17

As shown above the HA has been successful.

 

Setting up routing for PaloAlto1 and 2

The configuration is done only on PaloAlto1 which is the active firewall.

Define which interfaces are layer3.

Network > Virtual Routers

vr1

Before creating the virtual router, you need to assign interfaces as Layer3.

eth1-3.png

eth1-4.png

eth1.png

eth1-4-1.png

Select eth1/3 and create subinterface for vlan 100. This subinterface will be the gateway for vlan 100. Vlan 100 is the transit network.

eth1-3-1

eth1-3-2.png

eth1-3-3.png

network1.png

Create a virtual router, add the layer3 interfaces assigned just now.

add interfaces.png

We need two static routes, 1st is a default route going towards internet and the other south-bound towards Win8.

 

vr3.png

 

vr5.png

vr7a.png

vr7n.png

 

 

 

 

 

 

Defining zones

Make eth1/3 as intranet and eth1/4 as internet zones.

zones1.png

 

zones3.png

zones5.png

 

Set up NAT for 192.168.x.x to go to internet

Click on Policies and NAT.

nat2

nat3.png

nat4.png

nat5.png

Commit the entire changes.

commit1.png

Advertisements
This entry was posted in General stuffs. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s