OCI HA setup update where "domain" construct is introduced under Identity in OCI console
Symptom
Recently there has been a change in OCI where "Domain" construct has been introduced under Identity. For HA in OCI to work, we now need to create:
- Domain in Identity
- Dynamic group inside domain with matching instance IDs
- Policy which allow dynamic group in the domain to access instance-family and virtual-network-family resources
HA functionality would not function and secondary IP addresses would not move from Primary to Secondary firewall if these changes are not taken care of.
If customers follow the current document: https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/set-up-the-vm-series-firewall-on-oracle-cloud-infrastructure/configure-activepassive-ha-on-oci then while following Step 3 they would face errors
Environment
PA-VM firewalls in HA on OCI
Any PAN-OS version
Cause
Recently there has been a change in OCI where "Domain" construct has been introduced under Identity. For HA in OCI to work, we now need to create:
- Domain in Identity
- Dynamic group inside domain with matching instance IDs
- Policy which allow dynamic group in domain to access instance-family and virtual-network-family resources
Customers may come across the following errors if Domain is not created and if the policy allowing dynamic group in domain to access instance-family and virtual-network-family resources:
2024-07-24 00:35:44.210 -0700 INFO: VHST_passive Http Error: 404 Client Error: Not Found for url: https://iaas.us-ashburn-1.oraclecloud.com/20160918/vnicAttachments?
2024-07-24 00:35:44.210 -0700 INFO: VHST_passive Moving Secondary IP failed - Not able to get Peer's VNIC attachments. Err: HttpError
If they follow the current document: https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/set-up-the-vm-series-firewall-on-oracle-cloud-infrastructure/configure-activepassive-ha-on-oci then while following Step 3 they would face errors
Resolution
As per Step 3 A of the current document: https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/set-up-the-vm-series-firewall-on-oracle-cloud-infrastructure/configure-activepassive-ha-on-oci If Domain is not created in OCI then have a Domain created by going to Identity > Domain in OCI before creating Dynamic Group
On OCI console:
- Go to Identity & Security and select Domains under Identity:
- Click Create domain and give a display name and select the compartment:
- Follow from step 3 A of the document https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/set-up-the-vm-series-firewall-on-oracle-cloud-infrastructure/configure-activepassive-ha-on-oci to create dynamic group and add rules
- Change Step 3-B-3 from Allow dynamic-group <dynamic_group_name> to use virtual-network-family in compartment <compartment_name> to:
Allow dynamic-group '<domain name>'/'<dynamic_group_name>' to use instance-family in compartment <compartment_name>
- Change Step 3-B-5 from Allow dynamic-group <dynamic_group_name> to use instance-family in compartment <compartment_name> to:
Allow dynamic-group '<domain name>'/'<dynamic_group_name>' to use instance-family in compartment <compartment_name>
Sample snippet of policies
Additional Information
https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/set-up-the-vm-series-firewall-on-oracle-cloud-infrastructure/configure-activepassive-ha-on-oci
https://www.youtube.com/watch?v=2e7czJanMTQ