To use WebUI, we need to set an administrator password, for this, need to connect via SSH.
After creating instances, it takes 10-15 minutes before the Firewall is initialized and will be available via SSH
Connect to the first instance, SSH user – "admin"
And execute the following commands:
configure set mgt-config users admin password
Enter the password 2 times and save the changes:
Repeat the same on the second instance.
Now you can log in to the WebUI at the following address
- Login: admin
- Password: the one that was set via SSH
For convenience, let’s set the Hostname, for this we go to "Device" -> "Setup" -> "Management" -> "General settings"
Save the changes, for this, in the upper right corner, select "Commit". After refreshing the browser tab, the name of the tab will change.
Turn on the HA mode, for this we go to "Device" -> "Setup" -> "High Availability" -> "General" -> "Setup" and select the "gear"
Enable "HA" mode, "Group ID" – any value from 1 to 63, and "Peer HA1 IP Address" – private IP address of the MGMT interface of the second instance (AZ B)
Now you need to change the "Device priority" for the active instance, the lower the value, the higher the priority. The default value is "100", set the value for instance "A" to "50"
Before configuring the interfaces, let’s create two zones:
Go to the tab "Network" -> "Zones" and add a new zone by clicking "Add" in the lower left corner. We set the name and specify Type: "Layer3", the rest is left by default.
Now go to the tab "Network" -> "Interfaces" -> "Ethernet" and select the interface "ethernet1/1", specify that the "Interface Type" will be "HA" and click "OK"
- Interface Type: Layer3
- Virtual Router: default
- Security Zone: untrust-zone
Type: DHCP Client
Interface "ethernet1/3" we repeat the same steps as for "ethernet1/2" with the exception of "Security Zone", for this interface we specify "trust-zone"
As a result, 3 interfaces must be configured
HA: Data link
We return back to the HA setting, go to "Device" -> "Setup" -> "High Availability" -> "HA Communications" -> "Data Links"
- Port: ethernet1/1
- IPv4/IPv6 Address: IP address of the HA interface of the same instance
- Netmask: Netmask of our subnet
- Gateway: The first IP address in our network, is a required parameter, because instances are on different subnets
We also need to make sure we use "secondary-ip" as the HA mode. To do this, go to the "Device" tab and find the item "VM-Series"
And now we need to save our changes, for this select the "Commit" button in the upper right corner.
We repeat all the steps on the second instance, except that "Device priority" is left by default – "100"
In order to see the HA status in the Web console, you need to add a widget to the main panel, to do this, go to the "Dashboard" tab and select "Widgets" -> "System" -> "High Availability"
If you configured everything correctly, you will see the following on the widget
Run configuration synchronization
And after a couple of minutes, synchronization should be completed
Now we need to check that the HA mode is working, for this, we do not need to stop the active instance or otherwise simulate an accident from the AWS side. It is enough to go to the "Device" tab on the active firewall and then "Setup" -> "High Availability" -> "Operational Commands" and click "Suspend local device for high availability"
Confirm that we want to suspend HA mode
Then go to the "Dashboard" panel and check that the HA mod is paused and Peer is now the active firewall
Also, make sure the firewalls are swapped, check the "High Availability" widget on the second firewall
And the last thing left to check is that the EIP for GlobalProtect has been ported to the new active firewall. As you can see, EIP is successfully associated with an instance in AZ B