Skip to main content

Creating a Palo Alto Networks Clustered VM-Series Firewall

If you are using the Panorama application to manage your device(s), you will need to enter the Panorama IP Address and Authentication Key during device creation. Panorama support is only offered for versions 10.1.12 and above.

The Palo Alto Networks VM-Series Firewall has three deployment options: Single, Redundant, and Clustered. The configuration options described below apply to Cluster configurations. Single and Redundant configuration options are on Creating a VM-Series Firewall

Connectivity Options

The way Network Edge provisions Cluster devices is different based on the Connectivity Options. Read this section carefully to understand the required steps to configure both primary and secondary devices as Cluster nodes.

Both Connectivity options (With or Without Equinix Public IP Address) come with links between the primary and secondary node after the initial device provisioning. Those links are used for heartbeat communication and are required for Cluster deployment.

The following table summarizes configuration details based on connectivity type.

Connectivity TypeWith Equinix Public IP AddressWithout Equinix Public IP Address
Use CasesThis option comes with Public IP Addresses from Equinix and does not require an additional Virtual Connection to manage the virtual device.This option removes Equinix-sourced Public IP Address assignment and will segregate the VNF from the Internet after the device creation. If the device needs to be managed by software running in the Colo cage or through a private virtual connection, this option is recommended.
Internet ConnectivityPublic IP addresses from Equinix are assigned to the following interfaces and accessible from the Internet: Management (MGMT), Ethernet 1/1 (WAN).No public IP Address from Equinix included. This option requires a separate virtual connection from your Network Service Provider (NSP) or Internet Service Provider (ISP). See Bring Your Own Connection - Remote Fabric Port for more information.
Access Control ListCreate an Access Control List (ACL) to limit traffic to the VNF Management (MGMT) or WAN interface.The ACL option is not available. Additional compensating controls can be implemented for traffic from any private virtual connection.
SSH AccessUse Ethernet 1/1 (WAN) interface for SSH Access. You are required to generate an RSA public key for SSH access and configure it in the device creation workflow (mandatory).No SSH access by default. You need to create a user name for device access. One option is to generate an RSA public key for SSH access and configure it. Establish the Internet Connectivity through your NSP or ISP.
Device ManageabilityFor Cluster devices, Panorama access can be mapped only to the Management (MGMT) interface.A virtual connection (via the BYOC option) needs to be first assigned to the Management (MGMT) interface for Panorama accessibility for a Cluster deployment.
License RegistrationProvide the AuthCode during the device creation workflow. The AuthCode will be registered automatically when the virtual device reaches out to the Palo Alto Network license registration server.No AuthCode is required during device creation workflow. User is responsible for registering license using Internet access through private virtual connection (Online License Registration), or Offline Mode License.
Clustering SetupCluster setup is automated during device creation workflow.Users are required to configure cluster devices manually.
Internal HA ConnectionBy default, GigabitEthernet 8 and 9 are automatically configured for HA connection. You do not have the option to change this configuration. There is no need to connect primary and secondary devices using device link.Select any 2 interfaces for heartbeat communication purpose. The interface number must match between primary and secondary devices. For example, GigabitEthernet5 is configured on Primary node, GigabitEthernet 5 needs to be configured on the secondary node for the first HA connection. You need to allocate two interfaces per node for HA connection purposes.
Internal HA ConfigurationBy default, all required configurations to form Cluster between two devices is provisioned during device provisioning phase. You are not required to issue any additional configuration for clustering.You are required to configure cluster settings on the 2 interfaces (links) described above. Sample configurations can be found in Cluster Configuration Without Equinix Public IP Address.
Auth CodeBoth Auth Codes for Primary and Secondary nodes need to be generated before creating clustered device. These codes are used in the device provisioning automatically and you do not need to manually apply licenses. A missing Auth code or an invalid auth code results in provisioning failure.An Identical Auth Code for Primary and Secondary nodes, is generated after the device creation flow. You will need to identify CPU ID and UUID for each VNF to generate Auth Code. You need to manually apply the license after the devices are provisioned.

Configuring Your Device Without Equinix Public IP Address

If you choose to create your device Without an Equinix Public IP Address, the VNF is provisioned without any public IP Address on the WAN or Management interface. You are responsible for configuring the license registration, overlay network configuration, and clustering.

Management Interface Configuration

The following is a sample, reference only configuration for management interface setup. Commands

set deviceconfig system type static
set deviceconfig system ip-address x.x.x.x
set deviceconfig system netmask y.y.y.y
set deviceconfig system default-gateway z.z.z.z

License Registration

You are responsible for manually adding the license to the device. You should already have access to the Palo Alto Networks Customer Support Portal (License portal), where you can register your device using UUID and CPU-ID information. Use the license key from the portal to add the license on the device. License activation documentation is available from the Palo Alto Networks documentation.

Deployment Scenarios

Scenario 1: Manage Firewall from Colocation (Offline License Registration) where the Management Interface is accessible only from the network connected to colocation space Offline License Registration.

  1. Create a VM-Series firewall VNF Without Equinix Public IP Address in the Network Edge portal.
  2. Log in to primary and secondary VNF consoles with your user name and password.
  3. Create a virtual connection from the VNF to colocation on the first interface (management interface).
  4. Assign an IP address to the management interface on both VNFs.
  5. Confirm IP reachability from devices in the colocation space.
  6. Access the VNF using SSH from device in the colocation space.
  7. Identify the CPU ID and UUID for the VNF.
  8. Access the Palo Alto Networks Customer Support Portal (License portal) and generate two identical licenses for the VNFs.
  9. Apply the offline mode license to both VNFs.
  10. (Optional) You can manage the VNF from Panorama management software configured in the colocation space.
  11. Create the virtual connections to the Cloud Service Providers (CSPs) from the remaining interfaces.
  12. Continue to use offline device management for software updates.

Scenario 2: Manage Firewall from an NSP Network (Online License Registration) where the Management interface accessible from the NSP Virtual Connection or BYOC connected interface. Online License registration.

  1. Create a VM-Series firewall VNF Without Equinix Public IP Address in the Network Edge portal.
  2. Log in to primary and secondary VNF consoles with your user name and password.
  3. Create a virtual connection from the VNF to the NSP on the first interface (management interface).
  4. Assign an IP address to the management interface on both VNFs.
  5. Confirm IP reachability from devices in the NSP network.
  6. Access the VNF using SSH from device in the NSP network.
  7. Access the Palo Alto Networks Customer Support Portal (License portal) and generate a license and auth code for this VNF.
  8. Apply the identical Auth Code to both VNFs.
  9. (Optional) You can manage the VNF from Panorama management software configured in the NSP network.
  10. Create virtual connections to CSPs from the remaining interfaces.

Cluster Configuration Without Equinix Public IP Address

If you select the connectivity option Without Equinix Public IP Address, your are responsible for configuring two interfaces on each node to form a cluster between primary and secondary nodes. The following is a sample configuration using Command Line Interface (CLI).

Sample configuration for Primary Node:

set deviceconfig high-availability interface ha1 port ethernet1/<HA1_Interface> 
set deviceconfig high-availability interface ha1 ip-address <Primary_HA1_IP> 
set deviceconfig high-availability interface ha1 netmask <NETMASK> 
set deviceconfig high-availability interface ha1-backup 

set deviceconfig high-availability interface ha2 port ethernet1/<HA1_Interface> 
set deviceconfig high-availability interface ha2 ip-address <Primary_HA2_IP> 
set deviceconfig high-availability interface ha2 netmask <NETMASK> 
set deviceconfig high-availability group group-id <Group_ID> 
set deviceconfig high-availability group peer-ip <Secondary_IP> 
set deviceconfig high-availability group election-option device-priority <Priority> 
set deviceconfig high-availability group election-option timers recommended

set deviceconfig high-availability enabled yes 
set network interface ethernet ethernet1/<HA1_Interface> ha 
set network interface ethernet ethernet1/<HA2_Interface> ha

Sample configuration for Secondary Node:

set deviceconfig high-availability interface ha1 port ethernet1/<HA1_Interface> 
set deviceconfig high-availability interface ha1 ip-address <Secondary_HA1_IP> 
set deviceconfig high-availability interface ha1 netmask <NETMASK> 
set deviceconfig high-availability interface ha1-backup 

set deviceconfig high-availability interface ha2 port ethernet1/<HA1_Interface> 
set deviceconfig high-availability interface ha2 ip-address <Secondary_HA2_IP> 
set deviceconfig high-availability interface ha2 netmask <NETMASK> 
set deviceconfig high-availability group group-id <Group_ID> 
set deviceconfig high-availability group peer-ip <Primary_IP> 
set deviceconfig high-availability group election-option device-priority <Priority> 

set deviceconfig high-availability enabled yes 
set network interface ethernet ethernet1/<HA1_Interface> ha 
set network interface ethernet ethernet1/<HA2_Interface> ha

For a sample configuration using a Graphical User Inter (GUI) from the management software, see Configure HA Cluster in the Palo Alto documentation.

Enabling FIPS Mode

By default, FIPS mode is not enabled on Palo Alto Networks virtual firewall devices, so you will need to enable it.

Prerequisites:

  • GUI and SSH access to the Management interface of the firewall either via Public IP or Colo.
  • Console access to the virtual device.
  • Unlicensed Palo Alto VM; after FIPS is enabled, you need to load the license manually.
  • Backup of the device configuration.
  • A strong understanding of Palo Alto Firewall operations.
  • The Admin password needs to be SHA256 encrypted.
  • SSH must be available to the device on the Management interface.
  • OTP will be mandatory for FIPS mode.

  1. Take a backup of the HA config of VM1 using ssh.

    > set cli config-output-format set
    > configure
    Entering configuration mode
    [edit]

    # show | match high-availability

  2. Disable HA on VM1 before enabling FIPS and commit the config.

  3. Log into the device via console.

  4. Enter the Maintenance Recovery Tool (MRT). The device will take few minutes to boot to MRT.

  5. In the MRT, select Set FIPS--CC mode. Leave the values default and select Enable FIPS-CC Mode and press Enter. Scrubbing is not recommended at the moment.

  6. Reboot the device.

  7. SSH to the device and remove the following default configuration.

    For CLI following message will be displayed when logged in.

    **** FIPS-CC MODE ENABLED ****

    delete network ike crypto-profiles ike-crypto-profiles default encryption aes-128-cbc
    delete network ike crypto-profiles ike-crypto-profiles default encryption
    set network ike crypto-profiles ike-crypto-profiles default encryption aes-256-cbc
    delete network ike crypto-profiles ike-crypto-profiles default dh-group
    set network ike crypto-profiles ike-crypto-profiles default dh-group group19

    delete network ike crypto-profiles ipsec-crypto-profiles default esp encryption
    set network ike crypto-profiles ipsec-crypto-profiles default esp encryption aes-256-cbc
    delete network ike crypto-profiles ipsec-crypto-profiles default dh-group

    commit force

Repeat the above steps for VM2. Log in to the GUI of both the VMs. FIPS-CC Mode should be displayed on the initial login page and at all times in the status bar at the bottom of the web interface.

Every Palo Alto Networks firewall has its own high-availability-key that can be used to encrypt HA1 traffic. The key needs to be exported from VM1 and imported into VM2. The VM2 key also needs to be exported and imported into VM1.

  1. Log in to the GUI of VM2. Go to DEVICE > Certificate Management > Certificates > Device Certificates > Export HA Key

    note

    Make sure the key file name doesn’t have any special characters.

  2. Log in to GUI of VM1: Upload the HA Key from VM2 to VM1. Go to DEVICE > Certificate Management > Certificates > Device Certificates > Import HA Key

  3. Log in to GUI of VM1: Download the HA Key from VM1. Go to DEVICE > Certificate Management > Certificates > Device Certificates > Export HA Key

  4. Log in to GUI of VM2: Upload the HA Key from VM1 to VM2. Go to DEVICE > Certificate Management > Certificates > Device Certificates > Import HA Key

  5. Append the following lines to the backup HA config taken in Step 1 from VM1 and VM2.

    set deviceconfig setting auto-mac-detect yes
    set deviceconfig high-availability interface ha1 encryption enabled yes

  6. Add the config to both VM1 and VM2 from their respective backups and commit the config via ssh.

    > configure
    Entering configuration mode
    [edit]

    # <Load config>

    # commit

  7. Load the license on both devices.

    request license fetch auth-code <auth-code>
    Important

    The device will automatically reboot after the license is successfully applied.

  8. If required, log in to the primary device and sync the configuration between both devices.

    request high-availability sync-to-remote running-config