Set up Active/Passive Palo Alto DataCenter Firewall on Azure - Part Two

In the Previous Post, I've explained how to setup Palo Alto VMs in the same resource group including the network configuration and other configuration.

In this post, I will explain how to configure the Active and Passive Node from Azure side

Take a Look on the below design which is shared on Palo Alto Portal, as we will follow almost the same

As we can see from the below NICs Configuration on my Palo Alto Nodes, we have:

1. Trust Interface
2. Untrust Interface
3. MGMT Interface
4. I have added a new NIC named "HA-Interface" - Make sure to Power off and stop the VM in order to add a new NIC - You can refer to this Guide on how to add a new NIC
   

There is a small configuration should be done on azure AD before jumping into the Palo Alto HA Configuration, which is creating an APP and register with the right permission in order to make the Resources "IP" floating between both Firewall Nodes, let's do it:

1- Login to Azure Portal
2- Click on Azure AD

3- From App registration > Click on +New registration

4- Enter the App name and you can leave the rest of the options as a default, once App is created make sure to write down these configuration (highlighted in Yellow) as you will use them in Palo Alto Configuration

5- Next step is to create a Key secret, go to Certificates & Secret  > Client Secret > New Client Secret

6- Enter the Client Description and I Recommended to set the Expires Value "Never"

7- Next Step is to Add API Permissions, from API Permissions > + Add a Permission > Select Microsoft Graph

8- Add the permissions as above figure
9- After that, we need to add permissions on the subscription level for the deployed APP
10- Go to Home > Subscriptions

11- Access Control (IAM) > +Add > Add Role Assignment

12- Select Contributor Role  and from Select > select the App name
13- Done.
Now We will Add the new Floating IP on the Node 1
1- Go to the Palo Alto VM Node 1 > Select Networking

2- You will see the 4 Network interfaces which we have added before
3- Click on the Untrust "Second NIC" > a new windows will open

4- From IP Configurations > Click on Add
5- Enter the Private floating IP Name e.g 192.168.10.100
6- Click on Create
7- Repeat the Steps for the Trust NIC as Well

Note: With floating IP address, it can quickly move the IP address from the active firewall to the passive firewall during failover. You will also need HA links – a control link and data link to synchronize data and maintain state information between the peers for the passive firewall to seamlessly secure traffic as soon as it becomes the active peer.

Next Step is to Login to Palo Alto Firewall and start the initial configuration and it will be the last Part :)