Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect – Part 2


VM-Series Firewall


To use WebUI, we need to set an administrator password, for this, need to connect via SSH.

After creating instances, it takes 10-15 minutes before the Firewall is initialized and will be available via SSH

Connect to the first instance, SSH user – “admin

And execute the following commands:

set mgt-config users admin password

Enter the password 2 times and save the changes:


Repeat the same on the second instance.



Now you can log in to the WebUI at the following address


  • Login: admin
  • Password: the one that was set via SSH

For convenience, let’s set the Hostname, for this we go to “Device” -> “Setup” -> “Management” -> “General settings

Save the changes, for this, in the upper right corner, select “Commit“. After refreshing the browser tab, the name of the tab will change.

HA: Enable

Turn on the HA mode, for this we go to “Device” -> “Setup” -> “High Availability” -> “General” -> “Setup” and select the “gear”

Enable “HA” mode, “Group ID” – any value from 1 to 63, and “Peer HA1 IP Address” – private IP address of the MGMT interface of the second instance (AZ B)

Now you need to change the “Device priority” for the active instance, the lower the value, the higher the priority. The default value is “100“, set the value for instance “A” to “50

Security zones

Before configuring the interfaces, let’s create two zones:

  • untrust-zone
  • trust-zone

Go to the tab “Network” -> “Zones” and add a new zone by clicking “Add” in the lower left corner. We set the name and specify Type: “Layer3“, the rest is left by default.

Network interfaces

Now go to the tab “Network” -> “Interfaces” -> “Ethernet” and select the interface “ethernet1/1“, specify that the “Interface Type” will be “HA” and click “OK


  • Interface Type: Layer3


  • Virtual Router: default
  • Security Zone: untrust-zone


Type: DHCP Client

Interface “ethernet1/3” we repeat the same steps as for “ethernet1/2” with the exception of “Security Zone“, for this interface we specify “trust-zone

As a result, 3 interfaces must be configured

HA: Data link

We return back to the HA setting, go to “Device” -> “Setup” -> “High Availability” -> “HA Communications” -> “Data Links

  • Port: ethernet1/1
  • IPv4/IPv6 Address: IP address of the HA interface of the same instance
  • Netmask: Netmask of our subnet
  • Gateway: The first IP address in our network, is a required parameter, because instances are on different subnets

We also need to make sure we use “secondary-ip” as the HA mode. To do this, go to the “Device” tab and find the item “VM-Series

And now we need to save our changes, for this select the “Commit” button in the upper right corner.

We repeat all the steps on the second instance, except that “Device priority” is left by default – “100

HA Widget

In order to see the HA status in the Web console, you need to add a widget to the main panel, to do this, go to the “Dashboard” tab and select “Widgets” -> “System” -> “High Availability

If you configured everything correctly, you will see the following on the widget

Run configuration synchronization

And after a couple of minutes, synchronization should be completed

HA Test

Now we need to check that the HA mode is working, for this, we do not need to stop the active instance or otherwise simulate an accident from the AWS side. It is enough to go to the “Device” tab on the active firewall and then “Setup” -> “High Availability” -> “Operational Commands” and click “Suspend local device for high availability

Confirm that we want to suspend HA mode

Then go to the “Dashboard” panel and check that the HA mod is paused and Peer is now the active firewall

Also, make sure the firewalls are swapped, check the “High Availability” widget on the second firewall

And the last thing left to check is that the EIP for GlobalProtect has been ported to the new active firewall. As you can see, EIP is successfully associated with an instance in AZ B

Tagged: Tags

Notify of

Inline Feedbacks
View all comments