HA (high availability) Active/Passive Palo Alto on AWS

Introduction

In the first part, we explored Palo Alto firewalls, their use cases, and different ways to achieve high availability in AWS. To learn more click here.

In this second part, we’ll walk through a complete end-to-end setup of an Active/Passive Palo Alto HA deployment within the same Availability Zone.

Architecture

In this setup, traffic from the private server is routed to the Palo Alto firewall for inspection. The traffic reaches the firewall through its private (Trust/Inside) ENI, where it is evaluated based on defined policies.

We configure NAT rules in the Palo Alto UI to allow this traffic to access the internet. Additionally, a security group is applied to the private ENI to ensure that only traffic originating from the Trust/Inside subnet is permitted to reach the firewall.

Step 1:

Start by creating a VPC along with the required subnets:

• VPC CIDR: 10.0.0.0/21 (paloAlto-dev-poc-vpc)
• Subnets:
  • Mgmt subnet – 10.0.0.0/24
  • Trust subnet – 10.0.1.0/24
  • Untrust subnet – 10.0.2.0/24
  • HA subnet – 10.0.3.0/25

Step 2:

Create the following security groups to control traffic:

1. Palo-mgmt-SG

• Allow SSH (22) and HTTPS (443) from trusted IPs
• Allow all TCP traffic within the same security group (for internal communication)

2. Palo-Trust/Inside-SG

Allow ICMP (IPv4) from:

• Private instance security groups, and
• Subnet CIDR ranges

3. Palo-Untrust/Outside-SG

• No inbound rules required initially

4. Palo-HA-SG

• Allow all TCP traffic within the same SG (used for HA communication)

Step 3:

Set up route tables for:

• Management / Untrust subnet
• HA subnet
• Trust (Inside) subnet

Ensure proper routing so traffic flows correctly between interfaces and to the internet.

1. mgmt/untrust rt

2. HA rt

3. inside/trust rt

Step 4:

Create ENIs and 3 elastic IPs as well.

Elastic IP

• mgmt-primary-ip
• Untrust/Outside IP
• mgmt-secondary-ip

Now create and map ENIs and Attach each ENI to its respective subnet and security group.

For Palo Alto Firewall 01 (Primary)

• Palo-mgmt-primary-eni with elastic IP attached
• Palo-outside-eni with elastic IP attached (disable the Change source/destination check)
• Palo-inside-eni (disable the Change source/destination)
• Palo-HA-primary-eni

For Palo Alto Firewall 02 (Secondary)

• Palo-mgmt-secondary-eni with elastic IP attached
• Palo-HA-secondary-eni

Step 5:

Launch two EC2 instances using the Palo Alto AMI (ami-0579cded2bf22993c).

Attach the ENIs with AWS EC2 instance firewall(PaloAlto-mgmt-primary)

• Mgmt eni
• HA eni
• Outisde eni
• Inside eni

Attach the ENIs with AWS EC2 instance firewall (PaloAlto-mgmt-secondary)

• Mgmt eni
• HA eni

Step 6:

To open Palo UI, configure a new admin password for both Palo Alto server, using the following command:

• configure
• set mgt-config users admin password
• commit

First, open the terminal to SSH into both servers using below command

• ssh -i “xyz.pem” admin@<IP>

Enable Interface Move Mode

Since we are using Active/Passive HA, when the active firewall fails, the passive one should take over.

To allow ENIs to move between instances:

• Change the HA mode on the active peer from secondary-IP mode to interface-move mode.
  • request plugins vm_series aws ha failover-mode interface-move
  • show plugins vm_series aws ha failover-mode
• Disable DPDK support on the active HA peer.
  • set system setting dpdk-pkt-io off

This ensures smooth failover in AWS.

Step 7:

Here we’ll see

• Configuration for PaloAlto-mgmt-primary EC2 server
• Configuration for PaloAlto-Secondary EC2 server
• Final Steps to Enable HA
• AWS Ping Command results

1. Configuration for PaloAlto-mgmt-primary Firewall

A. Zones

B. virtual routers(default) > Static Routes (for internet access)

C. configure interfaces > ethernet

D. Go to Device > High Availability

In HA Pair Settings, mentioned the Secondary Mgmt server eth0 private IP.

• Peer HA1 IP → Secondary firewall management IP

Other configuration can be configured from the below screenshot.

 

In Data Link > HA2

• Port: ethernet1/1 i.e. HA1 ENI
• IPv4 – Palo Alto primary HA ENI private IP
• Gateway address of HA subnet

F. Policies, Security and NAT rule configurations

Commit all the configurations from the UI itself.

2. Configuration for PaloAlto-mgmt-secondary Firewall

• Go to Device → High Availability
  • Set:
    • Peer HA1 IP → Primary firewall management IP
  • Configure:
    • HA2 Data Link with HA2 interface only
• Go to Network → Interfaces
  • Setup HA interface

All other configs will sync automatically from the primary. Commit all the configurations from the UI itself.

3. Final Steps to Enable HA

• Reboot both firewalls:
  • Device → Setup → Reboot
• After reboot:
  • Check HA dashboard
  • Everything should appear green
• Don’t forget:
  • Click “Sync to Peer” initially to sync configurations

4. AWS Ping Command results

Testing the Setup –

To validate:

• Launch:
  • One public EC2 instance
  • One private EC2 instance
• Configure route tables:
  • Route private subnet traffic via Palo Alto Trust ENI
• Test connectivity:
  • Ping from private instance
  • Access internet

Result:
Your private EC2 instance can now access the internet through the Palo Alto firewall.

Final Thoughts

Setting up Active/Passive Palo Alto HA in AWS might seem complex at first, but once you break it down into steps, it becomes manageable.

The key things to get right are:

• Proper ENI mapping
• Correct HA configuration
• Interface move mode

Once done, you get a highly available and resilient firewall architecture in AWS.

Reference:

https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/high-availability-for-vm-series-firewall-on-aws

https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/high-availability-for-vm-series-firewall-on-aws/migrate-activepassive-ha-on-aws/migrate-activepassive-ha-on-aws-to-interface-move-mode