In this second part, we\u2019ll walk through a complete end-to-end setup of an Active\/Passive Palo Alto HA deployment within the same Availability Zone.<\/p>\n
Architecture<\/h2>\n![\"Architecture\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-18-at-11.41.16\u202fPM-1024x634.png\")
Architecture<\/p><\/div>\n
In this setup, traffic from the private server is routed to the Palo Alto firewall for inspection. The traffic reaches the firewall through its private (Trust\/Inside) ENI, where it is evaluated based on defined policies.<\/p>\n
We configure NAT rules in the Palo Alto UI to allow this traffic to access the internet. Additionally, a security group is applied to the private ENI to ensure that only traffic originating from the Trust\/Inside subnet is permitted to reach the firewall.<\/p>\n
Step 1:<\/h3>\n
Start by creating a VPC along with the required subnets:<\/p>\n
\n- VPC CIDR: 10.0.0.0\/21 (paloAlto-dev-poc-vpc)<\/li>\n
- Subnets:\n
\n- Mgmt subnet – 10.0.0.0\/24<\/li>\n
- Trust subnet – 10.0.1.0\/24<\/li>\n
- Untrust subnet – 10.0.2.0\/24<\/li>\n
- HA subnet – 10.0.3.0\/25<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
![\"Subnets\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-12.54.33\u202fAM-1024x185.png\")
Subnets<\/p><\/div>\n
Step 2:<\/h3>\n
Create the following security groups to control traffic:<\/p>\n
1. Palo-mgmt-SG<\/p>\n
\n- Allow SSH (22) and HTTPS (443) from trusted IPs<\/li>\n
- Allow all TCP traffic within the same security group (for internal communication)<\/li>\n<\/ul>\n
![\"Palo-mgmt-SG\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-12.59.50\u202fAM-1024x216.png\")
Palo-mgmt-SG<\/p><\/div>\n
2. Palo-Trust\/Inside-SG<\/p>\n
Allow ICMP (IPv4) from:<\/p>\n
\n- Private instance security groups, and<\/li>\n
- Subnet CIDR ranges<\/li>\n<\/ul>\n
![\"Palo-Trust\/Inside-SG\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.01.55\u202fAM-1024x215.png\")
Palo-Trust\/Inside-SG<\/p><\/div>\n
3. Palo-Untrust\/Outside-SG<\/p>\n
\n- No inbound rules required initially<\/li>\n<\/ul>\n
![\"Palo-Untrust\/Outside-SG\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.05.17\u202fAM-1024x208.png\")
Palo-Untrust\/Outside-SG<\/p><\/div>\n
4. Palo-HA-SG<\/p>\n
\n- Allow all TCP traffic within the same SG (used for HA communication)<\/li>\n<\/ul>\n
![\"Palo-HA-SG\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.07.35\u202fAM-1024x187.png\")
Palo-HA-SG<\/p><\/div>\n
Step 3:<\/h3>\n
Set up route tables for:<\/p>\n
\n- Management \/ Untrust subnet<\/li>\n
- HA subnet<\/li>\n
- Trust (Inside) subnet<\/li>\n<\/ul>\n
Ensure proper routing so traffic flows correctly between interfaces and to the internet.<\/p>\n
1. mgmt\/untrust rt<\/p>\n
![\"mgmt\/untrust](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.10.48\u202fAM-1024x177.png\")
mgmt\/untrust rt<\/p><\/div>\n
![\"mgmt\/untrust](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.10.16\u202fAM-1024x175.png\")
mgmt\/untrust rt<\/p><\/div>\n
2. HA rt<\/p>\n
![\"HA](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.13.19\u202fAM-1024x160.png\")
HA rt<\/p><\/div>\n
![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.13.53\u202fAM-1024x156.png\")
<\/p>\n
3. inside\/trust rt<\/p>\n
![\"inside\/trust](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.14.54\u202fAM-1024x179.png\")
inside\/trust rt<\/p><\/div>\n
![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.15.44\u202fAM-1024x152.png\")
<\/p>\n
Step 4:<\/h3>\n
Create ENIs and 3 elastic IPs as well.<\/p>\n
Elastic IP<\/p>\n
\n- mgmt-primary-ip<\/li>\n
- Untrust\/Outside IP<\/li>\n
- mgmt-secondary-ip<\/li>\n<\/ul>\n
![\"Elastic](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.19.32\u202fAM-1024x163.png\")
Elastic IP<\/p><\/div>\n
Now create and map ENIs and Attach each ENI to its respective subnet and security group.<\/p>\n
For Palo Alto Firewall 01 (Primary)<\/p>\n
\n- Palo-mgmt-primary-eni with elastic IP attached<\/li>\n
- Palo-outside-eni with elastic IP attached (disable the Change source\/destination check)<\/li>\n
- Palo-inside-eni (disable the Change source\/destination)<\/li>\n
- Palo-HA-primary-eni<\/li>\n<\/ul>\n
For Palo Alto Firewall 02 (Secondary)<\/p>\n
\n- Palo-mgmt-secondary-eni with elastic IP attached<\/li>\n
- Palo-HA-secondary-eni<\/li>\n<\/ul>\n
![\"Network](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.21.20\u202fAM-300x179.png\")
Network interfaces<\/p><\/div>\n
Step 5:<\/h3>\n
Launch two<\/strong> EC2 instances using the Palo Alto AMI (ami-0579cded2bf22993c).<\/p>\nAttach the ENIs with AWS EC2 instance firewall(PaloAlto-mgmt-primary)<\/p>\n
\n- Mgmt eni<\/li>\n
- HA eni<\/li>\n
- Outisde eni<\/li>\n
- Inside eni<\/li>\n<\/ul>\n
![\"PaloAlto-mgmt-primary\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.25.23\u202fAM-300x98.png\")
PaloAlto-mgmt-primary<\/p><\/div>\n
Attach the ENIs with AWS EC2 instance firewall (PaloAlto-mgmt-secondary)<\/p>\n
\n- Mgmt eni<\/li>\n
- HA eni<\/li>\n<\/ul>\n
![\"PaloAlto-mgmt-secondary\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.27.06\u202fAM-1024x208.png\")
PaloAlto-mgmt-secondary<\/p><\/div>\n
Step 6:<\/h3>\n
To open Palo UI, configure a new admin password for both Palo Alto server, using the following command:<\/p>\n
\n- configure<\/li>\n
- set mgt-config users admin password<\/li>\n
- commit<\/li>\n<\/ul>\n
First, open the terminal to SSH into both servers using below command<\/p>\n
\n- ssh -i “xyz.pem” admin@<IP><\/li>\n<\/ul>\n
Enable Interface Move Mode<\/p>\n
Since we are using Active\/Passive HA, when the active firewall fails, the passive one should take over.<\/p>\n
To allow ENIs to move between instances:<\/p>\n
\n- Change the HA mode on the active peer from secondary-IP mode to interface-move mode.\n
\n- request plugins vm_series aws ha failover-mode interface-move<\/li>\n
- show plugins vm_series aws ha failover-mode<\/li>\n<\/ul>\n<\/li>\n
- Disable DPDK support on the active HA peer.\n
\n- set system setting dpdk-pkt-io off<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
This ensures smooth failover in AWS.<\/p>\n
![\"PaloAlto](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.30.40\u202fAM-1024x425.png\")
PaloAlto Cli<\/p><\/div>\n
Step 7:<\/h3>\n
Here we\u2019ll see<\/p>\n
\n- Configuration for PaloAlto-mgmt-primary EC2 server<\/li>\n
- Configuration for PaloAlto-Secondary EC2 server<\/li>\n
- Final Steps to Enable HA<\/li>\n
- AWS Ping Command results<\/li>\n<\/ul>\n
1. Configuration for PaloAlto-mgmt-primary Firewall<\/h4>\n
A. Zones<\/p>\n
![\"zone\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.49.32\u202fAM-1024x371.png\")
zone<\/p><\/div>\n
B. virtual routers(default) > Static Routes (for internet access)<\/p>\n
![\"Virtual](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.50.58\u202fAM-1024x623.png\")
Virtual Router<\/p><\/div>\n
C. configure interfaces > ethernet<\/p>\n
![\"Interfaces\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.52.07\u202fAM-1024x464.png\")
Interfaces<\/p><\/div>\n
![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.52.17\u202fAM-1024x189.png\")
<\/p>\n
D. Go to Device > High Availability<\/p>\n
In HA Pair Settings, mentioned the Secondary Mgmt server eth0 private IP.<\/p>\n
\n- Peer HA1 IP \u2192 Secondary firewall management IP<\/li>\n<\/ul>\n
Other configuration can be configured from the below screenshot.<\/p>\n
![\"HA](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.54.05\u202fAM-1024x483.png\")
HA Pair Settings<\/p><\/div>\n
<\/p>\n
In Data Link > HA2<\/p>\n
\n- Port: ethernet1\/1 i.e. HA1 ENI<\/li>\n
- IPv4 \u2013 Palo Alto primary HA ENI private IP<\/li>\n
- Gateway address of HA subnet<\/li>\n<\/ul>\n
![\"Data](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.55.22\u202fAM-1024x261.png\")
Data Link<\/p><\/div>\n
F. Policies, Security and NAT rule configurations<\/p>\n
![\"Security](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.56.49\u202fAM-1024x103.png\")
Security and NAT<\/p><\/div>\n
![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-1.56.58\u202fAM-1024x149.png\")
<\/p>\n
Commit all the configurations from the UI itself.<\/p>\n
<\/h4>\n2. Configuration for PaloAlto-mgmt-secondary Firewall<\/h4>\n\n- Go to Device \u2192 High Availability\n
\n- Set:\n
\n- Peer HA1 IP \u2192 Primary firewall management IP<\/li>\n<\/ul>\n<\/li>\n
- Configure:\n
\n- HA2 Data Link with HA2 interface only<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n
- Go to Network \u2192 Interfaces\n
\n- Setup HA interface<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
All other configs will sync automatically from the primary. Commit all the configurations from the UI itself.<\/p>\n
![\"HA2](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-2.12.28\u202fAM-1024x122.png\")
HA2 communication and Interface<\/p><\/div>\n
![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-2.12.41\u202fAM-1024x510.png\")
<\/p>\n
![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-2.12.49\u202fAM-1024x271.png\")
<\/p>\n
<\/h4>\n3. Final Steps to Enable HA<\/h4>\n\n- Reboot both firewalls:\n
\n- Device \u2192 Setup \u2192 Reboot<\/li>\n<\/ul>\n<\/li>\n
- After reboot:\n
\n- Check HA dashboard<\/li>\n
- Everything should appear green<\/li>\n<\/ul>\n<\/li>\n
- Don\u2019t forget:\n
\n- Click \u201cSync to Peer\u201d initially to sync configurations<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
![\"HA](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-2.18.57\u202fAM-1024x707.png\")
HA Dashboard<\/p><\/div>\n
![\"\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-2.19.19\u202fAM-1024x552.png\")
<\/h4>\n<\/h4>\n4. AWS Ping Command results<\/h4>\n
Testing the Setup –<\/p>\n
To validate:<\/p>\n
\n- Launch:\n
\n- One public EC2 instance<\/li>\n
- One private EC2 instance<\/li>\n<\/ul>\n<\/li>\n
- Configure route tables:\n
\n- Route private subnet traffic via Palo Alto Trust ENI<\/li>\n<\/ul>\n<\/li>\n
- Test connectivity:\n
\n- Ping from private instance<\/li>\n
- Access internet<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Result:
\nYour private EC2 instance can now access the internet through the Palo Alto firewall.<\/p>\n
![\"output\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2026\/03\/Screenshot-2026-03-19-at-2.20.20\u202fAM-1024x310.png\")
output<\/p><\/div>\n
Final Thoughts<\/h2>\n
Setting up Active\/Passive Palo Alto HA in AWS might seem complex at first, but once you break it down into steps, it becomes manageable.<\/p>\n
The key things to get right are:<\/p>\n
\n- Proper ENI mapping<\/li>\n
- Correct HA configuration<\/li>\n
- Interface move mode<\/li>\n<\/ul>\n
Once done, you get a highly available and resilient firewall architecture in AWS.<\/p>\n
<\/h2>\nReference:<\/h2>\n
https:\/\/docs.paloaltonetworks.com\/vm-series\/10-2\/vm-series-deployment\/set-up-the-vm-series-firewall-on-aws\/high-availability-for-vm-series-firewall-on-aws<\/p>\n
https:\/\/docs.paloaltonetworks.com\/vm-series\/10-2\/vm-series-deployment\/set-up-the-vm-series-firewall-on-aws\/high-availability-for-vm-series-firewall-on-aws\/migrate-activepassive-ha-on-aws\/migrate-activepassive-ha-on-aws-to-interface-move-mode<\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction In the first part, we explored Palo Alto firewalls, their use cases, and different ways to achieve high availability in AWS. To learn more click here. In this second part, we\u2019ll walk through a complete end-to-end setup of an Active\/Passive Palo Alto HA deployment within the same Availability Zone. Architecture In this setup, traffic […]<\/p>\n","protected":false},"author":1658,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":4},"categories":[2348],"tags":[248,1892,2536,1898,8295,8296],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78704"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1658"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=78704"}],"version-history":[{"count":13,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78704\/revisions"}],"predecessor-version":[{"id":78827,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78704\/revisions\/78827"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=78704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=78704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=78704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Architecture<\/p><\/div>\n
In this setup, traffic from the private server is routed to the Palo Alto firewall for inspection. The traffic reaches the firewall through its private (Trust\/Inside) ENI, where it is evaluated based on defined policies.<\/p>\n
We configure NAT rules in the Palo Alto UI to allow this traffic to access the internet. Additionally, a security group is applied to the private ENI to ensure that only traffic originating from the Trust\/Inside subnet is permitted to reach the firewall.<\/p>\n
Step 1:<\/h3>\n
Start by creating a VPC along with the required subnets:<\/p>\n
- \n
- VPC CIDR: 10.0.0.0\/21 (paloAlto-dev-poc-vpc)<\/li>\n
- Subnets:\n
- \n
- Mgmt subnet – 10.0.0.0\/24<\/li>\n
- Trust subnet – 10.0.1.0\/24<\/li>\n
- Untrust subnet – 10.0.2.0\/24<\/li>\n
- HA subnet – 10.0.3.0\/25<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Subnets<\/p><\/div>\n
Step 2:<\/h3>\n
Create the following security groups to control traffic:<\/p>\n
1. Palo-mgmt-SG<\/p>\n
- \n
- Allow SSH (22) and HTTPS (443) from trusted IPs<\/li>\n
- Allow all TCP traffic within the same security group (for internal communication)<\/li>\n<\/ul>\n
Palo-mgmt-SG<\/p><\/div>\n
2. Palo-Trust\/Inside-SG<\/p>\n
Allow ICMP (IPv4) from:<\/p>\n
- \n
- Private instance security groups, and<\/li>\n
- Subnet CIDR ranges<\/li>\n<\/ul>\n
Palo-Trust\/Inside-SG<\/p><\/div>\n
3. Palo-Untrust\/Outside-SG<\/p>\n
- \n
- No inbound rules required initially<\/li>\n<\/ul>\n
Palo-Untrust\/Outside-SG<\/p><\/div>\n
4. Palo-HA-SG<\/p>\n
- \n
- Allow all TCP traffic within the same SG (used for HA communication)<\/li>\n<\/ul>\n
Palo-HA-SG<\/p><\/div>\n
Step 3:<\/h3>\n
Set up route tables for:<\/p>\n
- \n
- Management \/ Untrust subnet<\/li>\n
- HA subnet<\/li>\n
- Trust (Inside) subnet<\/li>\n<\/ul>\n
Ensure proper routing so traffic flows correctly between interfaces and to the internet.<\/p>\n
1. mgmt\/untrust rt<\/p>\n
mgmt\/untrust rt<\/p><\/div>\n
mgmt\/untrust rt<\/p><\/div>\n
2. HA rt<\/p>\n
HA rt<\/p><\/div>\n
<\/p>\n3. inside\/trust rt<\/p>\n
inside\/trust rt<\/p><\/div>\n
<\/p>\nStep 4:<\/h3>\n
Create ENIs and 3 elastic IPs as well.<\/p>\n
Elastic IP<\/p>\n
- \n
- mgmt-primary-ip<\/li>\n
- Untrust\/Outside IP<\/li>\n
- mgmt-secondary-ip<\/li>\n<\/ul>\n
Elastic IP<\/p><\/div>\n
Now create and map ENIs and Attach each ENI to its respective subnet and security group.<\/p>\n
For Palo Alto Firewall 01 (Primary)<\/p>\n
- \n
- Palo-mgmt-primary-eni with elastic IP attached<\/li>\n
- Palo-outside-eni with elastic IP attached (disable the Change source\/destination check)<\/li>\n
- Palo-inside-eni (disable the Change source\/destination)<\/li>\n
- Palo-HA-primary-eni<\/li>\n<\/ul>\n
For Palo Alto Firewall 02 (Secondary)<\/p>\n
- \n
- Palo-mgmt-secondary-eni with elastic IP attached<\/li>\n
- Palo-HA-secondary-eni<\/li>\n<\/ul>\n
Network interfaces<\/p><\/div>\n
Step 5:<\/h3>\n
Launch two<\/strong> EC2 instances using the Palo Alto AMI (ami-0579cded2bf22993c).<\/p>\n
Attach the ENIs with AWS EC2 instance firewall(PaloAlto-mgmt-primary)<\/p>\n
- \n
- Mgmt eni<\/li>\n
- HA eni<\/li>\n
- Outisde eni<\/li>\n
- Inside eni<\/li>\n<\/ul>\n
PaloAlto-mgmt-primary<\/p><\/div>\n
Attach the ENIs with AWS EC2 instance firewall (PaloAlto-mgmt-secondary)<\/p>\n
- \n
- Mgmt eni<\/li>\n
- HA eni<\/li>\n<\/ul>\n
PaloAlto-mgmt-secondary<\/p><\/div>\n
Step 6:<\/h3>\n
To open Palo UI, configure a new admin password for both Palo Alto server, using the following command:<\/p>\n
- \n
- configure<\/li>\n
- set mgt-config users admin password<\/li>\n
- commit<\/li>\n<\/ul>\n
First, open the terminal to SSH into both servers using below command<\/p>\n
- \n
- ssh -i “xyz.pem” admin@<IP><\/li>\n<\/ul>\n
Enable Interface Move Mode<\/p>\n
Since we are using Active\/Passive HA, when the active firewall fails, the passive one should take over.<\/p>\n
To allow ENIs to move between instances:<\/p>\n
- \n
- Change the HA mode on the active peer from secondary-IP mode to interface-move mode.\n
- \n
- request plugins vm_series aws ha failover-mode interface-move<\/li>\n
- show plugins vm_series aws ha failover-mode<\/li>\n<\/ul>\n<\/li>\n
- Disable DPDK support on the active HA peer.\n
- \n
- set system setting dpdk-pkt-io off<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
This ensures smooth failover in AWS.<\/p>\n
PaloAlto Cli<\/p><\/div>\n
Step 7:<\/h3>\n
Here we\u2019ll see<\/p>\n
- \n
- Configuration for PaloAlto-mgmt-primary EC2 server<\/li>\n
- Configuration for PaloAlto-Secondary EC2 server<\/li>\n
- Final Steps to Enable HA<\/li>\n
- AWS Ping Command results<\/li>\n<\/ul>\n
1. Configuration for PaloAlto-mgmt-primary Firewall<\/h4>\n
A. Zones<\/p>\n
zone<\/p><\/div>\n
B. virtual routers(default) > Static Routes (for internet access)<\/p>\n
Virtual Router<\/p><\/div>\n
C. configure interfaces > ethernet<\/p>\n
Interfaces<\/p><\/div>\n
<\/p>\nD. Go to Device > High Availability<\/p>\n
In HA Pair Settings, mentioned the Secondary Mgmt server eth0 private IP.<\/p>\n
- \n
- Peer HA1 IP \u2192 Secondary firewall management IP<\/li>\n<\/ul>\n
Other configuration can be configured from the below screenshot.<\/p>\n
HA Pair Settings<\/p><\/div>\n
<\/p>\n
In Data Link > HA2<\/p>\n
- \n
- Port: ethernet1\/1 i.e. HA1 ENI<\/li>\n
- IPv4 \u2013 Palo Alto primary HA ENI private IP<\/li>\n
- Gateway address of HA subnet<\/li>\n<\/ul>\n
Data Link<\/p><\/div>\n
F. Policies, Security and NAT rule configurations<\/p>\n
Security and NAT<\/p><\/div>\n
<\/p>\nCommit all the configurations from the UI itself.<\/p>\n
<\/h4>\n
2. Configuration for PaloAlto-mgmt-secondary Firewall<\/h4>\n
- \n
- Go to Device \u2192 High Availability\n
- \n
- Set:\n
- \n
- Peer HA1 IP \u2192 Primary firewall management IP<\/li>\n<\/ul>\n<\/li>\n
- Configure:\n
- \n
- HA2 Data Link with HA2 interface only<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n
- Go to Network \u2192 Interfaces\n
- \n
- Setup HA interface<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
All other configs will sync automatically from the primary. Commit all the configurations from the UI itself.<\/p>\n
HA2 communication and Interface<\/p><\/div>\n
<\/p>\n<\/p>\n<\/h4>\n
3. Final Steps to Enable HA<\/h4>\n
- \n
- Reboot both firewalls:\n
- \n
- Device \u2192 Setup \u2192 Reboot<\/li>\n<\/ul>\n<\/li>\n
- After reboot:\n
- \n
- Check HA dashboard<\/li>\n
- Everything should appear green<\/li>\n<\/ul>\n<\/li>\n
- Don\u2019t forget:\n
- \n
- Click \u201cSync to Peer\u201d initially to sync configurations<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
HA Dashboard<\/p><\/div>\n
<\/h4>\n<\/h4>\n
4. AWS Ping Command results<\/h4>\n
Testing the Setup –<\/p>\n
To validate:<\/p>\n
- \n
- Launch:\n
- \n
- One public EC2 instance<\/li>\n
- One private EC2 instance<\/li>\n<\/ul>\n<\/li>\n
- Configure route tables:\n
- \n
- Route private subnet traffic via Palo Alto Trust ENI<\/li>\n<\/ul>\n<\/li>\n
- Test connectivity:\n
- \n
- Ping from private instance<\/li>\n
- Access internet<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Result:
\nYour private EC2 instance can now access the internet through the Palo Alto firewall.<\/p>\noutput<\/p><\/div>\n
Final Thoughts<\/h2>\n
Setting up Active\/Passive Palo Alto HA in AWS might seem complex at first, but once you break it down into steps, it becomes manageable.<\/p>\n
The key things to get right are:<\/p>\n
- \n
- Proper ENI mapping<\/li>\n
- Correct HA configuration<\/li>\n
- Interface move mode<\/li>\n<\/ul>\n
Once done, you get a highly available and resilient firewall architecture in AWS.<\/p>\n
<\/h2>\n
Reference:<\/h2>\n
https:\/\/docs.paloaltonetworks.com\/vm-series\/10-2\/vm-series-deployment\/set-up-the-vm-series-firewall-on-aws\/high-availability-for-vm-series-firewall-on-aws<\/p>\n
https:\/\/docs.paloaltonetworks.com\/vm-series\/10-2\/vm-series-deployment\/set-up-the-vm-series-firewall-on-aws\/high-availability-for-vm-series-firewall-on-aws\/migrate-activepassive-ha-on-aws\/migrate-activepassive-ha-on-aws-to-interface-move-mode<\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction In the first part, we explored Palo Alto firewalls, their use cases, and different ways to achieve high availability in AWS. To learn more click here. In this second part, we\u2019ll walk through a complete end-to-end setup of an Active\/Passive Palo Alto HA deployment within the same Availability Zone. Architecture In this setup, traffic […]<\/p>\n","protected":false},"author":1658,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":4},"categories":[2348],"tags":[248,1892,2536,1898,8295,8296],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78704"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1658"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=78704"}],"version-history":[{"count":13,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78704\/revisions"}],"predecessor-version":[{"id":78827,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/78704\/revisions\/78827"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=78704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=78704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=78704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Launch:\n
- Click \u201cSync to Peer\u201d initially to sync configurations<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Reboot both firewalls:\n
- Setup HA interface<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Set:\n
- Go to Device \u2192 High Availability\n
- Peer HA1 IP \u2192 Secondary firewall management IP<\/li>\n<\/ul>\n
- set system setting dpdk-pkt-io off<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Change the HA mode on the active peer from secondary-IP mode to interface-move mode.\n
- ssh -i “xyz.pem” admin@<IP><\/li>\n<\/ul>\n
- Allow all TCP traffic within the same SG (used for HA communication)<\/li>\n<\/ul>\n
- No inbound rules required initially<\/li>\n<\/ul>\n