Configuration Guidelines for Active/Passive HA
Updated on
Fri Apr 19 00:02:55 UTC 2024
Focus
Download PDF
Updated on
Fri Apr 19 00:02:55 UTC 2024
Focus
- Home
- PAN-OS
- High Availability
- SetUp Active/Passive HA
- Configuration Guidelines for Active/Passive HA
Download PDF
Table of Contents
To set up an active (PeerA) passive (PeerB) pair inHA, you must configure some options identically on both firewallsand some independently (non-matching) on each firewall. These HAsettings are not synchronized between the firewalls. For detailson what is/is not synchronized, see Reference: HA Synchronization.
The following checklist details the settings that you must configureidentically on both firewalls:
You must enable HA on both firewalls.
You must configure the same Group ID value on both firewalls.The firewall uses the Group ID value to create a virtual MAC addressfor all the configured interfaces. See Floating IP Address and VirtualMAC Address for information about virtual MAC addresses. When anew active firewall takes over, it sends Gratuitous ARP messagesfrom each of its connected interfaces to inform the connected Layer2 switches of the virtual MAC address’ new location.
If you are using in-band ports as HA links, you must setthe interfaces for the HA1 and HA2 links to type HA.
Set the HA Mode to Active Passive on both firewalls.
If required, enable preemption on both firewalls. The devicepriority value, however, must not be identical.
If required, configure encryption on the HA1 link (for communication betweenthe HA peers) on both firewalls.
Based on the combination of HA1 and HA1 Backup ports youare using, use the following recommendations to decide whether youshould enable heartbeat backup:
HAfunctionality (HA1 and HA1 backup) is not supported on the managementinterface if it's configured for DHCP addressing (
IPType
set toDHCP Client
). The exceptionsare AWS and Azure, where the management interface is configured asDHCP Client and it supports HA1 and HA1 Backup links.HA1: Dedicated HA1 port
HA1 Backup: Dedicated HA1 port
Recommendation:
EnableHeartbeat BackupHA1: Dedicated HA1 port
HA1 Backup: In-band port
See AlsoHA Active/Active ConfigRecommendation:
EnableHeartbeat BackupHA1: Dedicated HA1 port
HA1 Backup: Management port
Recommendation:
Donot enable Heartbeat BackupHA1: In-band port
HA1 Backup: In-band port
Recommendation:
EnableHeartbeat BackupHA1: Management port
HA1 Backup: In-band port
Recommendation:
Donot enable Heartbeat Backup
The following table lists the HA settings that you must configureindependently on each firewall. See Reference: HA Synchronization for moreinformation about other configuration settings are not automaticallysynchronized between peers.
Independent Configuration Settings | PeerA | PeerB |
---|---|---|
Control Link | IP address of the HA1 link configured onthis firewall (PeerA). | IP address of the HA1 link configured onthis firewall (PeerB). |
For firewalls without dedicatedHA ports, use the management port IP address for the control link. | ||
Data Link The data link informationis synchronized between the firewalls after HA is enabled and the controllink is established between the firewalls. | By default, the HA2 link uses Ethernet/Layer2. If using a Layer 3 connection, configure the IP addressfor the data link on this firewall (PeerA). | By default, the HA2 link uses Ethernet/Layer2. If using a Layer 3 connection, configure the IP addressfor the data link on this firewall (PeerB). |
Device Priority (required, if preemptionis enabled) | The firewall you plan to make active musthave a lower numerical value than its peer. So, if Peer A is to functionas the active firewall, keep the default value of 100 and incrementthe value on PeerB. If the firewalls have the same devicepriority value, they use the MAC address of their HA1 as the tie-breaker. | If PeerB is passive, set the device priorityvalue to a number larger than the setting on PeerA. For example,set the value to 110. |
Link Monitoring—Monitor one or more physicalinterfaces that handle vital traffic on this firewall and define thefailure condition. | Select the physical interfaces on the firewallthat you would like to monitor and define the failure condition (allor any) to trigger a failover. | Pick a similar set of physical interfacesthat you would like to monitor on this firewall and define the failurecondition (all or any) to trigger a failover. |
Path Monitoring—Monitor one or more destinationIP addresses that the firewall can use ICMP pings to ascertain responsiveness. | Define the failure condition (all or any),ping interval and the ping count. This is particularly useful formonitoring the availability of other interconnected networking devices.For example, monitor the availability of a router that connectsto a server, connectivity to the server itself, or some other vitaldevice that is in the flow of traffic. Make sure that thenode/device that you are monitoring is not likely to be unresponsive,especially when it comes under load, as this could cause a a pathmonitoring failure and trigger a failover. | Pick a similar set of devices or destinationIP addresses that can be monitored for determining the failovertrigger for PeerB. Define the failure condition (all or any), pinginterval and the ping count. |
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}