admin<\/strong>"<\/p>\nAnd execute the following commands:<\/p>\n
\r\nconfigure\r\nset mgt-config users admin password\r\n<\/pre>\nEnter the password 2 times and save the changes:<\/p>\n
\r\ncommit\r\n<\/pre>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-16.39.50.png\")
<\/p>\n
Repeat the same on the second instance.<\/p>\n
<\/p>\n
WebUI<\/h4>\nBasic<\/h4>\n
Now you can log in to the WebUI at the following address<\/p>\n
https:\/\/<MGMT-PUBLIC-IP><\/p><\/blockquote>\n
\n- Login: admin<\/li>\n
- Password: the one that was set via SSH<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-17.25.17.png\")
<\/p>\n
For convenience, let’s set the Hostname<\/strong>, for this we go to "Device<\/strong>" -> "Setup<\/strong>" -> "Management<\/strong>" -> "General settings<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-17.33.14.png\")
<\/p>\n
Save the changes, for this, in the upper right corner, select "Commit<\/strong>". After refreshing the browser tab, the name of the tab will change.<\/p>\nHA: Enable<\/h4>\n
Turn on the HA mode, for this we go to "Device<\/strong>" -> "Setup<\/strong>" -> "High Availability<\/strong>" -> "General<\/strong>" -> "Setup<\/strong>" and select the "gear"<\/p>\nEnable "HA<\/strong>" mode, "Group ID<\/strong>" — any value from 1 to 63, and "Peer HA1 IP Address<\/strong>" — private IP address of the MGMT<\/strong> interface of the second instance (AZ B)<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-17.48.24.png\")
<\/p>\n
Now you need to change the "Device priority<\/strong>" for the active instance, the lower the value, the higher the priority. The default value is "100<\/strong>", set the value for instance "A<\/strong>" to "50<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-18.42.53.png\")
<\/p>\n
Security zones<\/h4>\n
Before configuring the interfaces, let’s create two zones:<\/p>\n
\n- untrust-zone<\/li>\n
- trust-zone<\/li>\n<\/ul>\n
Go to the tab "Network<\/strong>" -> "Zones<\/strong>" and add a new zone by clicking "Add<\/strong>" in the lower left corner. We set the name and specify Type: "Layer3<\/strong>", the rest is left by default.<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-19.46.29.png\")
<\/p>\n
Network interfaces<\/h4>\n
Now go to the tab "Network<\/strong>" -> "Interfaces<\/strong>" -> "Ethernet<\/strong>" and select the interface "ethernet1\/1<\/strong>", specify that the "Interface Type<\/strong>" will be "HA<\/strong>" and click "OK<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-19.51.55.png\")
<\/p>\n
Interface<\/span><\/span><\/span> "ethernet1\/2<\/strong>":<\/p>\n\n- Interface Type: Layer3<\/strong><\/li>\n<\/ul>\n
Config<\/strong>:<\/p>\n\n- Virtual Router: default<\/strong><\/li>\n
- Security Zone: untrust-zone<\/strong><\/li>\n<\/ul>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-19.52.21.png\")
<\/p>\n
IPv4<\/strong><\/p>\nType: DHCP Client<\/strong><\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-19.56.02.png\")
<\/p>\n
Interface "ethernet1\/3<\/strong>" we repeat the same steps as for "ethernet1\/2<\/strong>" with the exception of "Security Zone<\/strong>", for this interface we specify "trust-zone<\/strong>"<\/p>\nAs a result, 3 interfaces must be configured<\/p>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-20.11.26.png\")
<\/p>\n
HA: Data link<\/h4>\n
We return back to the HA setting, go to "Device<\/strong>" -> "Setup<\/strong>" -> "High Availability<\/strong>" -> "HA Communications<\/strong>" -> "Data Links<\/strong>"<\/p>\n\n- Port: ethernet1\/1<\/li>\n
- IPv4\/IPv6 Address: IP address of the HA interface of the same instance<\/li>\n
- Netmask: Netmask of our subnet<\/li>\n
- Gateway: The first IP address in our network, is a required parameter, because instances are on different subnets<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-19.59.33.png\")
<\/p>\n
We also need to make sure we use "secondary-ip<\/strong>" as the HA mode. To do this, go to the "Device<\/strong>" tab and find the item "VM-Series<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-20.15.26.png\")
<\/p>\n
And now we need to save our changes, for this select the "Commit<\/strong>" button in the upper right corner.<\/p>\nWe repeat all the steps on the second instance, except that "Device priority<\/strong>" is left by default — "100<\/strong>"<\/p>\nHA Widget<\/h4>\n
In order to see the HA status in the Web console, you need to add a widget to the main panel, to do this, go to the "Dashboard<\/strong>" tab and select "Widgets<\/strong>" -> "System<\/strong>" -> "High Availability<\/strong>"<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-20.19.31.png\")
<\/p>\n
If you configured everything correctly, you will see the following on the widget<\/p>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-20.19.59.png\")
<\/p>\n
Run configuration synchronization<\/p>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-20.20.20.png\")
<\/p>\n
And after a couple of minutes, synchronization should be completed<\/p>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-20.25.46.png\")
<\/p>\n
HA Test<\/h4>\n
Now we need to check that the HA mode is working, for this, we do not need to stop the active instance or otherwise simulate an accident from the AWS side. It is enough to go to the "Device<\/strong>" tab on the active firewall and then "Setup<\/strong>" -> "High Availability<\/strong>" -> "Operational Commands<\/strong>" and click "Suspend local device for high availability<\/strong>"![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-18.33.45.png\")
<\/p>\nConfirm that we want to suspend HA mode<\/p>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-18.34.00.png\")
<\/p>\n
Then go to the "Dashboard<\/strong>" panel and check that the HA mod is paused and Peer<\/strong> is now the active firewall<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-18.39.11.png\")
<\/p>\n
Also, make sure the firewalls are swapped, check the "High Availability<\/strong>" widget on the second firewall<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-18.45.18.png\")
<\/p>\n
And the last thing left to check is that the EIP<\/strong> for GlobalProtect<\/strong> has been ported to the new active firewall. As you can see, EIP<\/strong> is successfully associated with an instance in AZ B<\/strong><\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-21-at-20.23.40.png\")
<\/p>\n","protected":false},"excerpt":{"rendered":"
VM-Series Firewall SSH To use WebUI, we need to set an administrator password, for this, need to connect via SSH. After creating instances, it takes 10-15 minutes before the Firewall is initialized and will be available via SSH Connect to the first instance, SSH user — "admin" And execute the following commands: Enter the … \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c "Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect — Part 2"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[599,1335],"tags":[543,1899,1901,1903,1905],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2450"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2450"}],"version-history":[{"count":7,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2450\/revisions"}],"predecessor-version":[{"id":2602,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2450\/revisions\/2602"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/palo-alto-logo-1024x186.png\"){kind=logo}
<\/p>\n