How to Change The Group ID in a HA Environment
31037
Created On 10/17/19 15:46 PM - Last Modified 09/28/20 19:35 PM
Objective
- Details the process of changing the Group ID for a pair of Palo Alto Networks devices configured in High Availability (HA).
- Changing the HA Group ID will change the virtual MAC address of the firewalls and the upstream device may have cached the old MAC address.
Environment
- PAN NGFW
- High Availability (HA) Active/Passive configuration
- FW1 is Active.
- FW2 is Passive
Procedure
NOTE: HA Group id is crucial configuration part. So to minimize the impact on network users, it's always recommended to perform this change during a maintenance window.
- Start with the Passive firewall (FW2), go to Device > High Availability > General tab to change the Group ID and commit the change.
- After the commit, FW2 will go into a non-functional state. But this will not affect traffic due to FW1 is still the working Active device.
- From the working Active device (FW1), go to Device > High Availability > Operational Commands tab and suspend the current active firewall (FW1), which will trigger HA failover and make non functional device (FW2) active.
- Traffic will now start working from new active (FW2). So there are very minimal chances of outage if the connected switches converge mac addresses fast and accurately.
- From the suspended device (FW1), go to the General tab under Device > High Availability and change the Group ID number to match the new group ID on the peer device (FW2) and commit the change on the firewall.
Additional Information
- HA group id is used in computing virtual mac addresses in HA set up. So for a time period when both devices have different HA Group ID's, they will have different virtual mac addresses.
- Mac address change convergence on connected switches will also affect outage time if any.
- For more detailed information on how virtual MAC addresses are calculated, please click here.