Scribd
Upload
153 views

Firewall Configuration HA - Step by Step

Uploaded by

mba1130feb2024
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
153 views

Firewall Configuration HA - Step by Step

Uploaded by

mba1130feb2024
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Firewall Configurations

Tenancy: megacloud
OCID: ocid1.tenancy.oc1..aaaaaaaatgtslloqpdwk7nv7iv2c2chxatffhb3de2xbuflzi5axx2endtpa

Compartment: MegaCloud (root) / Mega_Cloud_Producao


OCID: ocid1.compartment.oc1..aaaaaaaamyginuhxlpqclaoxivxllarrcfnoualjrctapxn76yt6afvlg67q
Region: as-saopaulo-1

VCN: Firewall_VCN
OCID: ocid1.vcn.oc1.sa-saopaulo-1.amaaaaaa2ooongyaotldfrwwfru2g47sopjjwja7n673udprley4h5edulaa

Servers Details:

Primary Server: OCMEGPANFW01


OCID: ocid1.instance.oc1.sa-saopaulo-1.antxeljr2ooongyczl4qz3cz3ofcu44bcr4szw4253ry3ejbgra7sgjxyx2a

VNIC:
VNIC: OCMEGPANFW01 (Primary VNIC) – 192.168.0.10
OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljrdecvyttwd7gvn7y6uqz7keyrf35kej3gpsnqvc236ya4p7tn2j7a

VNIC:OCMEGPANFW01_HA Subnet - ha-subnet – 192.168.10.10


OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljrco2q4ocob3unohbfyql6schr4htj2a3to7cf473ieijkhooblm2q

VNIC: OCMEGPANFW01_TRUST Subnet - trust-subnet – 192.168.2.10


OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljrh4cxdqaoqykshydpldbhgyqkpxmj5hkambnno3qg7zidexzcilga
IP ADDRESS: 192.168.2.10 (PRIMARY)
192.168.2.30

VNINC: OCMEGPANFW01_UNTRUST Subnet - untrust_subnet - 192.168.1.10


OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljrhi2cd25edhkwbfki6eq6k7w3dw2g7hcp6lzly65nmjldiynynhbq

Public IP
Private IP Address Address Row header
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
192.168.1.10 (Prima
(Not Assigned) 1.abtxeljrzbx2lylrertpsv552ez427mgpo3z7nbp33bayvh4gbxvxyg5oe3
ry IP)
a
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
129.151.37.105
192.168.1.30 1.aaaaaaaabhdxp5en2fq2w3fxyptldusxdad6jphfauyodazxww3mpl3zd
(Reserved)
64q
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
144.22.183.103
192.168.1.31 1.aaaaaaaay5uuhg4yhirzl4fymoeltr33dgxoqksu4lazybyhixnvoaadxvv
(Reserved)
q
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
144.22.237.116
192.168.1.32 1.aaaaaaaa7fvxei5tcbuai7lnqra3ugerha3rig3v7bv33hv5nyoeykhqzey
(Reserved)
a
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
144.22.195.11
192.168.1.33 1.aaaaaaaaahfxpolsow5ijlrmvps2qu6uh4hk2skz4ehbu74tssqfi7xc2pr
(Reserved)
q
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
168.138.125.18
192.168.1.34 1.aaaaaaaahaaibe2db2v24tw5wn7jkeirohv2nl64255yabevbi4wfzgxzs
2 (Reserved)
cq
132.226.245.47 Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
192.168.1.35
(Reserved) 1.aaaaaaaanvfjcd3q7lj4rfqsa5uj2w7gnrnkwbhsr6rhecim5m5vxql2j2aa
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
152.67.51.171
192.168.1.36 1.aaaaaaaapdedxlfth36ts7chn4atpsixljesgm2gl4x2db3mikvxdsdmtw6
(Reserved)
q
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
144.22.254.105
192.168.1.37 1.aaaaaaaapcut3rmy7yr2w2vlv7mkhpvl56pevifrnya7frtbm3m7sti7bkw
(Reserved)
a
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
129.159.49.167
192.168.1.38 1.aaaaaaaa26hrg5nhybypyk4scmysolmo4xcphka2a43i6qxdd4qm4qa
(Reserved)
frbaa
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
150.230.70.117
192.168.1.39 1.aaaaaaaaqyw6xwfzrywbk5urogu7zrnteptshln6oco6r2cbsy7bzh2du2
(Reserved)
xq
152.70.211.102 Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
192.168.1.40
(Reserved) 1.aaaaaaaaq6gzlwloc6pi3i7nqahlrxthrcixtefnndqygzmsyxbkidb7mi4q
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
168.138.238.16
192.168.1.41 1.aaaaaaaaguu4uldesfporjc3wdon27yksq7oxy22oting4co6kilf6qpmev
1 (Reserved)
q
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
168.138.138.33
192.168.1.42 1.aaaaaaaab57vcnkhtqq77zjqrtqaguacnuguhitjmb3oytr7nw4qskgpe5
(Reserved)
qq
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
144.22.133.42
192.168.1.43 1.aaaaaaaa6tcakrteugcfo3t4um4eda3keuq2pjqk5hpgna6rtmhqspfke
(Reserved)
m3a
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
144.22.202.219
192.168.1.44 1.aaaaaaaajihjrheolwwuh4i7f7j7mvw2xomsbfc6hxixmxbfmivwbppqcif
(Reserved)
a
144.22.234.217 Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
192.168.1.45
(Reserved) 1.aaaaaaaa6s3wvkjuo6lstskrah6uf72hnplqtwsfz2vjnb3boqc6tu5nxbyq
Row with I.D. ocid1.privateip.oc1.sa-saopaulo-
144.22.145.144
192.168.1.46 1.aaaaaaaalir53qj4xfehblg3drmtbauh2smni3d2qoh5ybe53a37vvck4nl
(Reserved)
q
144.22.169.161
192.168.1.47
(Reserved)

Standby Server: OCMEGPANFW02


OCID: ocid1.instance.oc1.sa-saopaulo-1.antxeljr2ooongyc6b6kkgweoo4rykgxpgpnqakewvb5dzkb4oiws45qmp7a

VNIC:
VNIC: OCMEGPANFW02 (Primary VNIC) Subnet - management-subnet – 192.168.0.20
OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljr6ru2kkzbrp4hghyfkhsndc7vkpe5xymqz57jk62evcky2q5akw3a
VNIC: OCMEGPANFW02_HA Subnet - ha-subnet – 192.168.10.20
OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljrznyxmz4giiyau7c5qomumrz7m6xzvz4bawcgbgcddw2hxs2jsbsa

VNIC: OCMEGPANFW02_TRUST Subnet - trust-subnet – 192.168.2.20


OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljr6bltv6a6oxbxkwlxcox57vfuayk2ikwg45zxtruwpyfe6znpkfva

VNIC: OCMEGPANFW02_UNTRUST Subnet - untrust_subnet – 192.168.1.20


OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljrj7lbf23mgqjbfmitpg5da6krdg2ohtc2su2qun7oxybyo7ikc7oa
Configure Active/Passive HA on OCI
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-series-firewall-on-oracle-
cloud-infrastructure/configure-activepassive-ha-on-oci
Step 1: Deploy the VM-Series Firewall From the Oracle Cloud Marketplace and set up the network interfaces for
HA.

1 - (Optional ) Configure a dedicated HA1 interface on each HA peer. : not cofigured

2 - Configure an HA2 interface on each HA peer:

3 - Add a secondary IP address to your dataplane interfaces on the active peer.

VNIC:OCMEGPANFW01_HA Subnet - ha-subnet – 192.168.10.10


OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljrco2q4ocob3unohbfyql6schr4htj2a3to7cf473ieijkhooblm2q
VNIC: OCMEGPANFW02_HA Subnet - ha-subnet – 192.168.10.20
OCID: ocid1.vnic.oc1.sa-saopaulo-1.abtxeljrznyxmz4giiyau7c5qomumrz7m6xzvz4bawcgbgcddw2hxs2jsbsa

Step 2: Create security rules to allow the HA peers to synchronize data and maintain state information. By default,
OCI allows ICMP traffic only. You must open the necessary HA ports.

2.1 - Open the ports for your HA1 interface:


OBS.: As reported, the HA1 interface was not created in the MEga environment, nor does it exist in the diagram.
The settings below were applied on the HA interface.

1. From the OCI Console, select Networking Virtual Cloud Networks and select your VCN.
2. Select Subnets and select the subnet containing your HA1 interface.
3. Select Security Lists and click the default security list to edit it.
4. Click Add Ingress Rule .
5. Enter the Source CIDR that includes the HA peer HA1 port IP address.
6. Select TCP from the IP Protocol drop-down.
7. Click +Additional Ingress Rule You need to create two additional rules for TCP ports 28260 and 28769.
8. If encryption is enabled on your VM-Series firewall for the HA1 link, create an additional rules for ICMP
and TCP port 28.

9.
Configuration:

2.2 - Open the ports for your HA2 interface:

1. From the OCI Console, select Networking Virtual Cloud Networks and select your VCN.
2. Select Subnets and select the subnet containing your HA2 interface. Select Security Lists and click
the default security list to edit it.
3. Click Add Ingress Rule .
4. Enter the Source CIDR that includes the HA peer HA2 port IP address.
5. Select UDP or IP from the IP Protocol drop-down.
6. If the transport mode is UDP, enter 29281 into Source Port Name . If the transport mode is IP,
enter 99 into Source Port Name .
7. Click Add Ingress Rules

Configuration:
STEP 3: Add both HA peers to a dynamic group and create policy that allows the HA peers to move the floating IP
address. You must have the OCID of each HA peer instance to build the dynamic group matching rules, so have
those on hand to past into the rule builder.

3.1 - Create the dynamic group:


1. From the OCI Console, select Identity Dynamic Groups Create Dynamic Group.
2. Enter a descriptive Name for your dynamic group. Click Rule Builder .
3. Select Any of the following rules from the first drop-down.
4. Select Match instances with ID: from the Attributes drop-down and paste one of the peer OCIDs into
the Value field.
5. Click +Additional Line .
6. Select Match instances with ID: from the Attributes drop-down and paste the other peer OCID into
the Value field.
7. Click Add Rule .

8.
9. Click Create Dynamic Group .

Configuration:

Rule:
Any {instance.id = 'ocid1.instance.oc1.sa-saopaulo-
1.antxeljr2ooongyczl4qz3cz3ofcu44bcr4szw4253ry3ejbgra7sgjxyx2a',instance.id = 'ocid1.instance.oc1.sa-saopaulo-
1.antxeljr2ooongyc6b6kkgweoo4rykgxpgpnqakewvb5dzkb4oiws45qmp7a'}
3.2: Create the policy rule.

1. From the OCI Console, select Identity Policies Create Policy.


2. Enter a descriptive Name for your policy.
3. Enter the first policy statement.
Allow dynamic-group <dynamic_group_name> to use virtual-network-family in compartment
<compartment_name>
4. Click +Another Statement.
5. Enter the second policy statement. Allow dynamic-group <dynamic_group_name> to use instance-
family in compartment <compartment_name>
6. Click Create .

7.

Configuration:
Policy: Allow dynamic-group HA_PALOALTO to use virtual-network-family in compartment Mega_Cloud_Producao
Policy: Allow dynamic-group HA_PALOALTO to use instance-family in compartment Mega_Cloud_Producao

STEP 4: Configure the interfaces on the firewall. You must configure the HA2 data link and at least two Layer 3
interfaces for your untrust and trust interfaces. Complete this workflow on the first HA peer and then repeat the steps
on the second HA peer.

4.1 - Log in to the firewall web interface.

4.2 - (Optional) If you are using the management interface as HA1, you must set the interface IP Type to static and
configure a DNS server.
Not configured.

4.3Select Network Interfaces Ethernet and click on your untrust interface. In this example, the HA2 interface is
1/1, the trust interface is ethernet 1/2, and the untrust interface is ethernet 1/3.

4.4 Click the link for ethernet 1/1 and configure as follows: Interface Type : HÁ

4.5 Click the link for ethernet 1/2 and configure as follows:

Interface Type : Layer3


On the Config tab, assign the interface to the default router.
On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new
zone, for example trust-zone, and then click OK .
On the IPv4 tab, select either Static .
Click Add in the IP section and enter the primary IP address and network mask for the interface.
Make sure that the IP address matches the IP address that you assigned to the corresponding subnet
in VCN. For example, if you add this interface to your trust zone, make sure you assign the trust vNIC
IP address configured in your VCN.
Click Add in the IP section and enter the secondary, floating IP address and network mask.

FALTANDO IP PRIMÁRIO.
IP ADDRESS: 192.168.2.10 (PRIMARY)

192.168.2.30

4.6 Click the link for ethernet 1/3 and configure as follows:

Interface Type: Layer3


On the Config tab, assign the interface to the default router.
On the Config tab, expand the Security Zone drop-down and select New Zone . Define a new zone, for
example untrust-zone, and then click OK.
On the IPv4 tab, select either Static.
Click Add in the IP section and enter the primary IP address and network mask for the interface. Make sure
that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For
example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address
configured in your VCN.
Click Add in the IP section and enter the secondary, floating IP address and network mask.

IP CORRETO: 192.168.1.10 + IPS SECUNDÁRIOS

STEP 5: Enable HA.

5.1 - Select Device High Availability General .

5.2 Edit the Setup settings.

5.3 Enter the private IP address of the passive peer in the Peer HA1 IP address field .

5.4 Click OK .
5.6 (Optional) Edit the Control Link (HA1). If you do not plan to use the management interface for the control link
and have added an additional interface (for example ethernet 1/4), edit this section to select the interface to
use for HA1 communication. – not configured

5.7 Edit the Data Link (HA2) to use Port ethernet 1/1 and add the IP address of active peer and
the Gateway IP address for the subnet.

5.8 Select IP or UDP from the Transport drop-down. Ethernet is not supported.

5.9 Click OK

STEP 6: Commit

STEP 7: Repeat step 4 and step 5 on the passive HA peer.

7.3 -Select Network Interfaces Ethernet and click on your untrust interface. In this example, the HA2 interface is
1/1, the trust interface is ethernet 1/2, and the untrust interface is ethernet 1/3.
7.4 Click the link for ethernet 1/1 and configure as follows: Interface Type : HÁ

7.5 Click the link for ethernet 1/2 and configure as follows:

Interface Type : Layer3


On the Config tab, assign the interface to the default router.
On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new
zone, for example trust-zone, and then click OK .
On the IPv4 tab, select either Static .
Click Add in the IP section and enter the primary IP address and network mask for the interface.
Make sure that the IP address matches the IP address that you assigned to the corresponding subnet
in VCN. For example, if you add this interface to your trust zone, make sure you assign the trust vNIC
IP address configured in your VCN.
Click Add in the IP section and enter the secondary, floating IP address and network mask.
FALTANDO IP PRIMÁRIO: 192.168.2.20

7.6 Click the link for ethernet 1/3 and configure as follows:
Interface Type: Layer3
On the Config tab, assign the interface to the default router.
On the Config tab, expand the Security Zone drop-down and select New Zone . Define a new zone, for
example untrust-zone, and then click OK.
On the IPv4 tab, select either Static.
Click Add in the IP section and enter the primary IP address and network mask for the interface. Make sure
that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For
example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address
configured in your VCN.
Click Add in the IP section and enter the secondary, floating IP address and network mask.
IP INCORRETO:
VNIC: OCMEGPANFW02_UNTRUST Subnet - untrust_subnet – 192.168.1.20 + IPS SECUNDÁRIOS

STEP 8: After your finish configuring HA on both firewalls, verify that the firewalls are paired in active/passive HA.

8.1 Access the Dashboard on both firewalls and view the High Availability widget.

8.2 On the active HA peer, click Sync to peer .

8.3 Confirm that the firewalls are paired and synced.

8.3.1 On the passive firewall: the state of the local firewall should display Passive and
the Running Config should show as Synchronized.
8.3.2 On the active firewall: the state of the local firewall should display Active and the Running
Config should show as Synchronized

You might also like