Create a Clustered Palo Alto Networks VM-Series Firewall VNF

Clustering allows Network Edge users to create locally redundant configuration, designating the devices as an active-standby configuration, so that certain activities are carried out as a single unit. This topic explains how to create a clustered Palo Alto Networks VM-Series Firewall. See Create a Palo Alto Networks VM-Series Firewall VNF for more details.

The Palo Alto Networks VM-Series firewall Cluster option requires you to bring your own license (BYOL).

Important: If one or more devices in your cluster have to be deleted and re-created, the device(s) will have a new UUID. Manual intervention is necessary. You will have to associate the new UUID with your existing license.

To create a clustered Palo Alto Networks VM-Series firewall:

  1. Sign in to the Network Edge Marketplace. If the Identity and Access Management (IAM) feature is enabled for your account, make sure to switch to the intended Project Name/ID before proceeding to the device creation workflow.

  2. Click Select and Continue on the Palo Alto Networks VM-Series Firewall card to start device creation.

    Note: Click View Details on the card to see a preview of the configuration options available for this virtual device.

  3. Select Deployment Type select Cluster.

  4. In the Select Edge Device Location section, click a location.

  5. In the Account section, select a billing account from the Your accounts in this metro drop-down.

    Note: Metro selection is linked to your billing account country. For example, if you select Silicon Valley for deployment metro, your will need to have a billing account in the United States. If you need to deploy the VNF to a different metro such as Tokyo, you need to create a billing account in Japan.

    If you do not have a billing account for the selected metro, a message will display.

    To create a billing account, click Go to Account Management, and then click Create New Billing Account. Without selecting an account, you will not be able to create your device. For more information, see Billing Account Management.

  6. In the Connectivity Type section, select either With Equinix Public IP Address or Without Equinix Public IP Address. For more information, see the Connectivity Type section to determine which connectivity type is right for your deployment.

    Note: The Connectivity Type option is only available when provisioning a new device. This option can’t be enabled for devices provisioned before 2023.4 release.

  7. In the Licensing section, enter an Auth Code in the Bring Your Own License card if your Connectivity type is With Equinix Public IP Address. If your Connectivity type is Without Equinix Public IP Address, the Auth Code needs to be applied manually using CLI or through a device management application such as Panorama after the device is provisioned.

    Options for the Clustered device licensing for Palo Alto Networks VM-Series firewall virtual device are: 

    Configuration With Equinix Public IP Address Without Equinix Public IP Address
    Auth Code Both Auth Codes for Primary and Secondary nodes need to be generated before creating clustered device. Those codes are used in the device provisioning automatically and you do not need to manually apply licenses. Missing Auth code or invalid auth code results in provisioning failure. An Identical Auth Code for Primary and Secondary nodes, is generated after the device creation flow. You will need to identify CPU ID and UUID for each VNF to generate Auth Code. You need to manually apply the license after the devices are provisioned. See the License section for more information.

    8. Note: Both devices need to be licensed when the cluster deployment option is selected. The license on both the devices need to match.

  8. In the Device Resources section, select the virtual machine resource type, along with Software Package and Software Version. See Palo Alto Networks VNF Specifications for more information.

  9. In the Create Cluster section, enter a Cluster Name to be used in the Network Edge portal.

  10. In the Device Details section, enter:

    • Device Name – Enter a name for the device to be used in the Fabric portal.
    • Primary Host Name Prefix – Enter a primary host name prefix for the VNF.
    • Secondary Host Name Prefix – Enter a secondary host name prefix for the VNF.
      • Click to see the naming rules.

  11. In the Interfaces section, keep the default number of interfaces available on the VNF. If you select the With Equinix Public IP Address connectivity option, you can automatically map WAN/SSH interfaces to the next available interface, or manually select a specific interface for WAN/SSH use. WAN/SSH interface provides Internet access. For the Without Equinix Public IP Address option, you do not have a WAN/SSH interface available for mapping.

  12. In the Device Status Notifications box, enter the email addresses of anyone who should receive email notifications regarding device status.

    13. Note: We strongly recommend adding multiple email addresses so that more than one user receives any notification for this device.

  13. (Optional) In the Optional Details box, enter the Purchase Order Number and Order Reference/Identifier.
  14. In the Term Length drop-down menu, select a term length.
  15. Click Next: Additional Services to add additional services. Additional Services options are based on connectivity type.
    16. Configuration With Equinix Public IP Address Without Equinix Public IP Address
    Add User ü ü
    SSH RSA Public Keys ü Optional
    Access Control List Template ü N/A (No WAN/MGMT Interface)
    Additional Internet Bandwidth ü N/A (No WAN Interface)

    • Add Users – Enter a user name for SSH and Web-Console access.

    • RSA Public Key – For SSH access, you are required to select an existing RSA Public Key from the list or add a New RSA Public Key. See Network Edge Device Access for more information about generating an RSA public key.

    • Add Access Control List Templates – Select an access control list (ACL) template. This template will be applied to the gateway interface connected to the WAN/SSH interface of your VNF. ACL templates control communication from the Internet. For more information, see the ACL documentation. This option is available only for the With Equinix Public IP Address connectivity option.

      • Note: By default, the communication required for initial bootstrap (DNS, NTP, License Server communication, SD-WAN controller communication, etc.) is allowed to properly configure the initial VNF configuration. Additional protocols such as SSH need to be intentionally permitted using an ACL template (Custom ACL). If you need to create a template to apply to your device, click Create Access Control List Template. See Configure Access Controls on Virtual Devices for more information.

    • Additional Internet Bandwidth – Add between 25 and 5000 additional Mbps of internet bandwidth (for a fee). 15 Mbps of Internet Bandwidth is included free in the package by default. This option is available only for With Equinix Public IP Address connectivity option.
  16. Click Next: Review.
  17. In the Terms & Conditions box, click Review and Accept Order Terms.
  18. Select I have read and understand these terms and click Accept.
  19. Click Create Virtual Device.

Important: Your device will be assigned an external IP address for reachability when the With Equinix Public IP Address connectivity option is selected. If you change the configuration, you could experience connectivity issues.

Note: When connecting clustered devices using Device Linking, the HA Group IDs must be unique on each cluster.

Cluster Setup Configuration After Device Provisioning

The way Network Edge provisions Cluster devices is different based on the Connectivity Options. Read this section carefully to understand the required steps to configure both primary and secondary devices as Cluster nodes.

Both Connectivity options (With or Without Equinix Public IP Address) come with links between the primary and secondary node after the initial device provisioning. Those links are used for heartbeat communication and are required for Cluster deployment.

The following table summarizes configuration details based on connectivity type.

Configuration With Equinix Public IP Address Without Equinix Public IP Address
Internal HA Connection By default, GigabitEthernet 8 and 9 are automatically configured for HA connection. You do not have the option to change this configuration. There is no need to connect primary and secondary devices using device link. Select any 2 interfaces for heartbeat communication purpose. The interface number must match between primary and secondary devices. For example, GigabitEthernet5 is configured on Primary node, GigabitEthernet 5 needs to be configured on the secondary node for the first HA connection. You need to allocate two interfaces per node for HA connection purposes.
Internal HA Configuration By default, all required configurations to form Cluster between two devices is provisioned during device provisioning phase. You are not required to issue any additional configuration for clustering. You are required to configure cluster settings on the 2 interfaces (links) described above. Sample configurations can be found in the section below.

Cluster Configuration required for Connectivity Option Without Equinix Public IP Address

If you select the connectivity option Without Equinix Public IP Address, your are responsible for configuring two interfaces on each node to form a cluster between primary and secondary nodes. The following is a sample configuration using Command Line Interface (CLI).

Sample configuration for Primary Node
set deviceconfig high-availability interface ha1 port ethernet1/<HA1_Interface>
set deviceconfig high-availability interface ha1 ip-address <Primary_HA1_IP>
set deviceconfig high-availability interface ha1 netmask <NETMASK>
set deviceconfig high-availability interface ha1-backup

set deviceconfig high-availability interface ha2 port ethernet1/<HA1_Interface>
set deviceconfig high-availability interface ha2 ip-address <Primary_HA2_IP>
set deviceconfig high-availability interface ha2 netmask <NETMASK>
set deviceconfig high-availability group group-id <Group_ID>
set deviceconfig high-availability group peer-ip <Secondary_IP>
set deviceconfig high-availability group election-option device-priority <Priority>
set deviceconfig high-availability group election-option timers recommended

set deviceconfig high-availability enabled yes
set network interface ethernet ethernet1/<HA1_Interface> ha
set network interface ethernet ethernet1/<HA2_Interface> ha

 

Sample configuration for Secondary Node
set deviceconfig high-availability interface ha1 port ethernet1/<HA1_Interface>
set deviceconfig high-availability interface ha1 ip-address <Secondary_HA1_IP>
set deviceconfig high-availability interface ha1 netmask <NETMASK>
set deviceconfig high-availability interface ha1-backup

set deviceconfig high-availability interface ha2 port ethernet1/<HA1_Interface>
set deviceconfig high-availability interface ha2 ip-address <Secondary_HA2_IP>
set deviceconfig high-availability interface ha2 netmask <NETMASK>
set deviceconfig high-availability group group-id <Group_ID>
set deviceconfig high-availability group peer-ip <Primary_IP>
set deviceconfig high-availability group election-option device-priority <Priority>

set deviceconfig high-availability enabled yes
set network interface ethernet ethernet1/<HA1_Interface> ha
set network interface ethernet ethernet1/<HA2_Interface> ha

For a sample configuration using a Graphical User Inter (GUI) from the management software, see Configure HA Cluster in the Palo Alto documentation.

License Registration for Cluster Devices

The following section describes cluster deployment scenarios Without Equinix Public IP Address.

Scenario 1: Manage Firewall from Colocation (Offline License Registration)
Requirement

  • Management interface accessible only from the network connected to colocation space

  • Offline License registration

Deployment Flow

  1. Create a VM-Series firewall VNF Without Equinix Public IP Address in the Network Edge portal.

  2. Log in to primary and secondary VNF consoles with your user name and password.

  3. Create a virtual connection from the VNF to colocation on the first interface (management interface).

  4. Assign an IP address to the management interface on both VNFs.

  5. Confirm IP reachability from devices in the colocation space.

  6. Access the VNF using SSH from device in the colocation space.

  7. Identify the CPU ID and UUID for the VNF.

  8. Access the Palo Alto Networks Customer Support Portal (License portal) and generate two identical licenses for the VNFs.

  9. Apply the offline mode license to both VNFs.

  10. (Optional) You can manage the VNF from Panorama management software configured in the colocation space.

  11. Create the virtual connections to the Cloud Service Providers (CSPs) from the remaining interfaces.

  12. Continue to use offline device management for software updates.

 

Scenario 2: Manage Firewall from an NSP Network (Online License Registration)
Requirement

  • Management interface accessible from the NSP Virtual Connection or BYOC connected interface

  • Online License registration

Deployment Flow

  1. Create a VM-Series firewall VNF Without Equinix Public IP Address in the Network Edge portal.

  2. Log in to primary and secondary VNF consoles with your user name and password.

  3. Create a virtual connection from the VNF to the NSP on the first interface (management interface).

  4. Assign an IP address to the management interface on both VNFs.

  5. Confirm IP reachability from devices in the NSP network.

  6. Access the VNF using SSH from device in the NSP network.

  7. Access the Palo Alto Networks Customer Support Portal (License portal) and generate a license and auth code for this VNF.

  8. Apply the identical Auth Code to both VNFs.

  9. (Optional) You can manage the VNF from Panorama management software configured in the NSP network.

  10. Create virtual connections to CSPs from the remaining interfaces.