professional-service-best-practices/terraform-paloalto-ha
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
terraform-paloalto-ha/README.md
Michael Sodan 916e582c51 change readme
2025-05-13 10:16:36 +02:00

3.2 KiB
Raw Blame History

Palo Alto HA Setup with Terraform (Stackit Cloud)

This Terraform configuration sets up two Palo Alto Firewalls in a High Availability (HA) setup on the Stackit Cloud IaaS layer. It includes proper configuration for floating IPs (VIPs), port security, and network interface rules.

๐Ÿ› ๏ธ Key Concepts

๐Ÿ” High Availability (HA)

Two firewalls are deployed with identical network interfaces. A virtual IP (VIP) is configured for failover between the two units.

๐Ÿงท Port Security & VIPs

  • port_security must be enabled on interfaces where the VIP is active.
  • Do not attach the VIP IP to any server or instance!
  • VIP must be added as an allowed_address_pair on both firewalls' relevant interfaces.

โœ… Requirements

๐Ÿ” Configuration Rules

Rule Explanation
Do NOT attach VIP IP to any VM The VIP is managed by the HA sync between the firewalls.
VIP must be set with /32 CIDR ranges are not supported for allowed addresses.
VIP must be defined as allowed_address_pair On both firewalls where it can be active.
Port security must be enabled On interfaces holding the VIP.
Security groups must allow traffic for VIP If port security is enabled, define rules accordingly.

๐Ÿšง Limitations & Notes

  • VIP must not be attached to any instance
    The floating IP (VIP) is managed entirely by the Palo Alto HA configuration. Do not associate this IP statically with any compute instance via Terraform.

  • Only /32 allowed in allowed_addresses
    You must specify the VIP as a /32 IP (e.g., 10.220.131.30/32) โ€” CIDR blocks (e.g., /24) are not supported and will be rejected or silently ignored.

  • Routing issues if allowed_addresses are missing
    If the VIP is not explicitly added to allowed_addresses on each port where it might be active, network traffic will fail silently due to missing neighbor/ARP entries.

  • Security groups must explicitly allow VIP traffic
    When using port_security = true, ensure that the correct security group rules allow inbound/outbound traffic for the VIP address. If omitted, traffic will be blocked.

  • Interface networks must match on both firewalls
    For a successful HA sync and failover, interfaces on both firewalls must be connected to the same virtual networks with matching roles (e.g., both wan, both lan1, etc.).

  • No dynamic interface switching in Terraform
    VIP failover happens on the firewall level. Terraform is not responsible for enabling/disabling interfaces โ€” make sure the Palo Alto HA config is correctly set up within the OS.

  • HA Sync and Preemption is not handled by Terraform
    The logic for state sync, failover, and preemption priorities must be configured manually in the firewall GUI or CLI. This project only provisions the infrastructure.