How to use one Template stack for a high availability Firewall Pair on Panorama.

52584

Created On 10/29/19 07:43 AM - Last Modified 10/13/23 02:28 AM

Templates

Device Management

8.1

9.0

9.1

Panorama

Objective

The objective of this article is to show how to use one template stack for a High Availability (HA) pair by using variables.

From PAN-OS 9.0, the import of device on Panorama has changed.

As per the Panorama 9.0 Admin Guide : "Do not combine the HA firewall pair in to a single template if a unique Hostname, management IP address, or HA configuration is configured for each HA peer. You may also configure a unique Hostname, management IP address, or HA configuration locally on the firewalls."

If a single template stack is used without modifying the variables, one may encounter error messages similar to the one mentioned below.

. High-availability ha1 interface ipaddr configured to match peer-ip address(Module: ha_agent)
. Commit failed

Error message when pushing the template with option "Force Template"

Environment

Any Panorama.
PAN-OS 8.1, 9.0, 9.1, 10.0, 10.1, 10.2.
Palo Alto Firewalls configured in High Availability.

Procedure

The variables need to be set for the following parameters.

Hostname.
Management IP address.
HA configuration.

The steps to accomplish the same are as below.

Import the configuration of the active firewall.
Edit the template to use variable.
Import the configuration from passive firewall.

Part 1 - Import the configuration of the active firewall

On the firewall, configure the IP address of the Panorama under GUI: Device>Setup>Management>Panorama Settings
On the firewall, disable the configuration synchronisation in under GUI: Device>Setup>High Availability>Setup
On the firewall, commit the changes
On Panorama, add the firewall serial number in under GUI: Panorama>Managed Devices>Summary
On Panorama, commit the changes
On Panorama, import the configuration of the device in under GUI: Panorama>Setup>Operations>Import Device configuration to Panorama
On Panorama, commit after the import
On Panorama, push the configuration
On the firewall, you will notice the pushed configuration is marked as overridden settings in Network and Device (Template)

template pushed shown as overriden settings

On Panorama, push the configuration with a "Force Template"

"Force Template Values" should be use only when needed

On the firewall, the configuration is shown as pushed configuration

template pushed shown as pushed settings

This is the end of the phase 1 : importing the active firewall. We loaded successfully a template, and the firewall takes it.

Part 2 : Edit the template to use variable

Now that the template is working, let's check the blocking points to use the same template for multiple devices.

Hostname value is not pushed by Panorama

hostname setting not defined by Panorama

Management IP address is not pushed by Panorama

Management IP address not pushed by Panorama

HA configuration is pushed by Panorama

On the HA configuration pushed by Panorama, we will need to replace 2 settings:

The Peer HA1 IP Address
The device priority

If this is not done, the passive will receive the same IP address and device priority of that of active firewall.
To do this, Replace this values with a variable (a generic value which could be redefined for each device).

Peer HA1 IP Address

Open the Setup options of template in Panorama using GUI: Device > HIgh Availability > General >Setup. Ensure the correct template is selected

The Peer HA1 IP address need to be replaced

Delete the IP address in the Peer HA1 IP address field and you should see a new "Variable" option

A new menu appears. Define the name and the type of the variable and the default value of the variable.
The type of the variable is the type of entry this variable is supposed to get (an IP address, a text, an interface name...).

In this example, variable is defined with the IP address of the active firewall.

Note: If Dataplane interface is used for HA1 instead of the Management interface, then additional variable is needed, create variable for Dataplane interface.

Device priority:

Using the same procedure, Set the "Device Priority" under GUI: Device > HIgh Availability > General >Election Settings.

Once completed, Template HA configuration reflects these changes.

To validate the template stack is still working after adding those variables, commit and push to the active firewall.
If there are any errors, re-check the changes and correct the changes done on the templates.

Part 3 - Import of the passive firewall

Once the template is working fine after adding the variables. Passive firewall configuration should be imported into Panorama.

On the firewall, configure the IP address of the Panorama under GUI: Device>Setup>Management>Panorama Settings
On the firewall, disable the configuration synchronisation under GUI: Device>Setup>High Availability>Setup
On the firewall, commit the changes
On Panorama, add the firewall serial number under GUI: Panorama>Managed Devices>Summary
On Panorama, commit the changes
On Panorama, import the configuration of the device under GUI: Panorama>Setup>Operations>Import Device configuration to Panorama
On Panorama, commit after the import
On Panorama, push the configuration
On Panorama, move the passive firewall into the Device Group of the active firewall (GUI: Panorama > Device Groups > (ensure passive firewall is selected in the Device Group of active firewall)

On Panorama, move the passive firewall into the template stack of the active firewall ( GUI: Panorama > Templates> (ensure passive firewall is selected in the template stack of active firewall)

On Panorama GUI: Panorama > Managed Devices > Summary Page and click on the Create (Variable Column) associated to the passive firewall

Click on the "Create" link to set the value of the variables

On the Popup window, check the No and click on OK.

On the next popup window, there are 2 ways to define the value of each variable (if edit is not done, the firewall will receive the default value set at the variable creation):

Override: Here, Select the variable to set, click on Override and set the value as you want.

Get Values used on the device: Here Select the variable to set, click on Get value used on device.

On the new window, the local values set on the firewall appear for the selected variables, click on the variable you want to keep the value then click on "Override"

Choose the value you want to set as variable value

Once the values are set, click on Close.

On Panorama, commit the configuration.
On Panorama, push the configuration to the passive firewall.
On the firewall, you will notice the pushed configuration is marked as overridden settings in Network and Device (Template).
On Panorama, push the configuration with a "Force Template".
On the firewall, the configuration is shown as pushed configuration.

Part 4: Enabling Config Sync between HA Peer Firewalls.

Repeat these steps for both firewalls in the HA pair if you plan on maintaining a local configuration that needs to be synchronized.
Log in to the web interface on each firewall, select Device > High Availability >General, and edit the Setup section.
Select Enable Config Sync and click OK.
Commit the configuration changes on each firewall.

Additional Information

Panorama Administrator Guide - Variables

This how-to has been written with Panorama running on PAN-OS 9.0.4 and firewalls running on PAN-OS 8.1.11.