Lab 4

Lesson 4/10 | Study Time: 120 Min

Course: Palo Alto Virtual Lab with Online Workbook

Tasks

1.1 Lab1 needs to be completed before proceeding to Lab4

1.2 Create VLAN 172 and VLAN 100 on Switch SW01 and assign Interfaces Eth5/1, Eth1/1, Eth3/2 in access VLAN 172 and Interfaces Eth0/2,Eth1/2 and Eth3/3 in access VLAN 100

1.3 On PaloAlto01 assign IP address 172.16.1.1/24 on Interface Eth1/1 and IP address 100.0.0.1/24 on Interface Eth1/2. Also assign IP address 1.1.1.1/29 on Interface Eth1/5 and IP address 1.2.2.1/29 on Interface Eth1/6

1.4 On PaloAlto02 assign IP address 172.16.1.2/24 on Interface Eth1/1 and IP address 100.0.0.2/24 on Interface Eth1/2. Also assign IP address 1.1.1.2/29 on Interface Eth1/5 and IP address 1.2.2.2/29 on Interface Eth1/6

1.5 Perform High availability by checking the ping connectivity between Test-PC and Router- 3

Configuration and Verification

Configure Switch SW01 for Vlan 172 and assign interface

Configure Switch SW01 for Vlan 100 and assign interface

Now configure Interfaces of PaloAlto01 and assign IP address on it as shown in Screenshot. Click on Netwok Tab

First Create Zones as shown:

Click on Add Button

Now configure Interface Ip address on PaloAlto01

Here we Configure Ethernet1/1, Interface type: Layer 3, Virutal router: default and Security Zone: Trust

Here we configure Ethernet1/2, Interface type: Layer 3,Virtual Router: Default and Security Zone: Untrust

Click on the interface Ethernet1/5 for modifying the properties. Here change the interface type to H.A. and click on OK.

Note: Both the interface connects PaloAlto01 and PaloAlto02 with each-other directly so we will use these interfaces for Failover configuration.

Repeat same for Ethernet1/6.

Now click on commit to push this configuration on the Device.

Now we will configure PaloAlto02 in same way first will configure Zones then Interface and assign IP address .

Now configure Interfaces of PaloAlto02 and assign IP address on it as shown in Screenshot. Click on Network Tab then click on zones create zone Trust and Untrust

Now configure Interface Ethernet1/1, interface type: layer3, Virtual router : Default, Security Zone : Trust

Assign Ip address as shown below

Now configure Ethernet1/2, interface type: layer3, virtual Router: default, security zone: untrust

Now configure Interface Ethernet1/5 with interface type : HA

Similarly configure Interface Ethernet1/6 with interface type: HA

Now click on commit to push this configuration on device.

Also create a policy under security section name it Policy1 and in source tab mark is any and in destination tab also Any

Then click ok and then click on commit, it will allow traffic to move from trust to Untrust.

Now go to Device Tab and on Left side options, choose High-Availability.

Follow the steps below and configure the failover.

After completing the configuration till here, commit the changes done.

Repeat the configuration on Palo-Alto02 for failover by going through following steps.

Commit the changes to make them running-configuration.

Let us see the options for monitoring the firewall and trigger the failover depending upon the critical component of the firewall or connection with below settings.

You can put interface in Link Group setting to monitor them and based upon the status of the interface, failover can be triggered automatically.

Likewise you can put destination IP and see the reachability, if reachability gets lost then automatic failover can be triggered.

In Link Group Section click on Add

To see the status of HA, you can perform below option and this is really helpful in managing and monitoring firewall.

Here in High Availability Widget click on Sync with peer.

Remember : sync only from PaloAlto01 and it will replicate all the configuration to the PaloAlto02.

You don’t have to sync from PaloAlto02.

You can see the new tab next to Link and Path Monitoring with the name Operational Commands.

Here you can suspend the firewall from GUI and trigger the failover manually.

When you click on the suspend Local Device, below pop-up will open with the warning, If you are sure with the failover, then click on OK, else click on Cancel.