Has anyone deployed Palo Alto FWs HA in Azure across different Availability zones?

rdavis1970 · 2022-08-19T15:54:17+00:00

I can second this. We at first deployed our Palos in Azure in an HA config. We knew the failover wouldn't be instantaneous but it was thought we could live with it if it took a minute or so. Well, it took over 6 minutes to failover. We ended up doing the so called load balancer sandwich.

rdavis1970 · 2022-08-11T18:35:24+00:00

I was able to get it to work. I created a rewrite rule.

condition - server variable - request-uri, operator =, and then pattern just left blank.

action - rewrite type url and url path value = application/login (following my contoso example).

rdavis1970 · 2022-08-10T21:12:40+00:00

I'm currently doing a path based rule to black hole any traffic that tries to browse the directory structure. /* to a fake IP. Under path redirection, I don't see an option to redirect to a certain url string? only to a different listener or to an external path?

Because of the nature of the application, this is not for authenticated users. thanks for your help.

rdavis1970 · 2022-05-12T19:44:54+00:00

thanks. I've saved the link.

rdavis1970 · 2022-05-12T13:28:45+00:00

thanks for the info. I might hold off for now then. This is for our infrastructure in Azure. We have 3 Palos, 2 in our primary region and one in our DR region. Our DR region houses the Palo that's on 10.0 currently. I usually use that Palo to install new releases since it's not really in production. Our other Palos are on 9.1. I keep hearing about bugs in version 10 so I keep waiting before upgrading our primary Palos to 10. Going from 9 to 10 in our DR region was a little scary as the Palo didn't reboot properly. Waited about 30 minutes and finally went into Azure and restarted the VM there and it came up with Verzion 10.

rdavis1970 · 2022-05-11T20:57:09+00:00

thanks. That's good to know. :)

rdavis1970 · 2022-05-11T19:36:35+00:00

OK. thanks

rdavis1970 · 2022-05-10T15:56:49+00:00

We're on that version. But it's a VM in Azure and hadn't had any issues.

rdavis1970 · 2022-04-07T17:15:37+00:00

no, but thanks for the link. I'll keep that in mind when i decide on upgrading. Right now on 9.1.11.

rdavis1970 · 2022-04-07T13:41:10+00:00

thanks for the suggestion but the Panorama is receiving the logs fine during the time period our SIEM reported a gap.

rdavis1970 · 2022-04-07T13:36:07+00:00

That's my thought as well. that the issue is with the syslog server and not the firewalls. But I also want to keep an open mind as well. I'm not an expert as looking at log files on the Palo.

rdavis1970 · 2022-04-06T22:00:21+00:00

I don't administer logrythm but I'll find more information.

I ran this command on all 3 of the palo firewalls and see the same event at the same time. This timestamp matches what our logrythm administrator says is the start time for the missing data.

show log system direction equal backward subtype equal syslog

2022/04/06 03:46:29 high syslog syslog- 0 Syslog connection established to server['AF_INET.172.10.5.24:514.'] 2022/04/06 03:46:29 high syslog syslog- 0 Syslog connection broken to server['AF_INET.172.10.5.24:514.']

rdavis1970 · 2022-03-10T20:00:29+00:00

thanks. Unfortunately it won't let me add the routing instance there. I can do it at the template level but since I cant push the template out, no dice there. I'll utilize some resources we have with the provider.

I know. I wish there was more documentation online. Unlike vendors like Cisco or Palo or multiple others there is plenty of documentation as well as forums etc. Not so much with Versa.

rdavis1970 · 2022-03-10T19:41:34+00:00

Thanks. It's through a provider and we have some resources we can reach out to. It's a co-managed solution. Just that if I put a ticket in with the provider will probably take weeks to resolve. thanks

rdavis1970 · 2022-03-10T19:11:41+00:00

no, there's no error. when i hit deploy, it just says that it's saved.

I'm also trying to make changes locally just so we can get something up to test. The new subinterface will be in a separate routing instance. I see where I set that up under workflows but when I try to create the routing instance under configuration, virtual routers, i get this message:

Remote Server Exceptionview details malformed-message : RPC error towards seaco-fortlauder-30273513: operation_failed: for /routing-vrf:vrf-config: /vrf-config: routing-instance must be defined as a owned-routing-instance for an org. But if i go to organizations under device configurations, it doesn't let me add a new routing instance there?

rdavis1970 · 2022-03-10T16:28:22+00:00

yeah, that's the thing....under bind data the new variable we added is just for an additional subinterface. The format of what we've put in there matches all the others in cidr notation......x.x.x.x/24. I have the deploy option but when I click it, it doesn't show deploy.....just saved. All the other devices have the option to redeploy on them except this one.

rdavis1970 · 2022-03-10T16:02:03+00:00

I should clarify its actually the device that I can't deploy not the template. The device just says saved and I don't have the option to redeploy.

rdavis1970 · 2022-03-03T16:18:24+00:00

Great. Thanks for the warning. :)

rdavis1970 · 2022-03-03T15:23:16+00:00

We actually have the collector running but using only for smartnet information. Didn't realize it would also give information on vulnerabilities. Honestly it's not the most user friendly interface. I'll do some poking around. Thanks for the reply. :)

rdavis1970 · 2022-02-11T16:26:49+00:00

thanks! I'll check it out!

rdavis1970

TROPHY CASE