# Palo Alto HA Setup with Terraform (Stackit Cloud)

This Terraform configuration sets up two **Palo Alto Firewalls** in a **High Availability (HA)** setup on the **Stackit Cloud IaaS** layer. It includes proper configuration for floating IPs (VIPs), port security, and network interface rules.

---

## 🛠️ Key Concepts

### 🔁 High Availability (HA)
Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) is configured for failover between the two units.

### 🧷 Port Security & VIPs
- `port_security` **must be enabled** on interfaces where the **VIP** is active.
- **Do not attach** the VIP IP to any server or instance!
- VIP must be added as an `allowed_address_pair` on **both firewalls'** relevant interfaces.

---

## ✅ Requirements

- Terraform ≥ 1.3.x
- Stackit Terraform Provider
- Palo Alto VM-Series Images (pre-imported into the Stackit project)

---

## 🔐 VIP Configuration Rules

| Requirement                        | Value / Note                                       |
|------------------------------------|----------------------------------------------------|
| Port Security Enabled              | ✅ `true` on VIP interfaces                        |
| VIP Attachment                     | ❌ Do **not** attach VIP to any instance           |
| Allowed Address Pair               | ✅ Add VIP with `/32` notation                     |
| Allowed Address Format             | `10.220.131.30/32`                                 |
| Security Group for VIP Interface   | ✅ Required if `port_security = true`              |

---