Configure Active/Active HA
Updated on
Apr 19, 2024
Focus
Download PDF
Updated on
Apr 19, 2024
Focus
- Home
- PAN-OS
- High Availability
- SetUp Active/Active HA
- Configure Active/Active HA
Download PDF
Table of Contents
The following procedure describes the basicworkflow for configuring your firewalls in an active/active configuration.However, before you begin, DetermineYour Active/Active Use Case for configuration examples moretailored to your specific network environment.
You can configure data ports as both dedicated HA interfaces and as dedicated backup HA interfaces, and is required for firewalls without dedicated HA interfaces.
Data ports configured as HA1, HA2, or HA3 interfaces can be connected directly to each HA interface on the firewall or connected through a Layer2 switch. For data ports configured as an HA3 interface, you must enable jumbo frames as HA3 messages exceed 1,500 bytes.
To configure active/active, first complete thefollowing steps on one peer and then complete them on the secondpeer, ensuring that you set the Device ID to different values (0or 1) on each peer.
Connectthe HA ports to set up a physical connection between the firewalls.
For each use case, the firewalls could be any hardwaremodel; choose the HA3 step that corresponds with your model.
For firewalls with dedicated HA ports, use an Ethernet cableto connect the dedicated HA1 ports and the HA2 ports on peers. Usea crossover cable if the peers are directly connected to each other.
For firewalls without dedicated HA ports, select two data interfacesfor the HA2 link and the backup HA1 link. Then, use an Ethernetcable to connect these in-band HA interfaces across both firewalls.Use the management port for the HA1 link and ensure that the managementports can connect to each other across your network.
For HA3:
On PA-7000 Series firewalls, connectthe High Speed Chassis Interconnect (HSCI-A) on the first chassisto the HSCI-A on the second chassis, and the HSCI-B on the firstchassis to the HSCI-B on the second chassis.
On PA-5200 Series firewalls (which have one HSCI port), connectthe HSCI port on the first chassis to the HSCI port on the secondchassis. You can also use data ports for HA3 on PA-5200 Series firewalls.
On PA-3200 Series firewalls (which have one HSCI port), connectthe HSCI port on the first chassis to the HSCI port on the secondchassis.
On any other hardware model, use dataplane interfaces for HA3.
Enable ping on the management port.
Enabling ping allows the management port to exchange heartbeatbackup information.
In
,edit Management Interface Settings.Device
Setup
Management
Select
Ping
as a service thatis permitted on the interface.
If thefirewall does not have dedicated HA ports, set up the data portsto function as HA ports.
For firewalls with dedicated HA ports continue to the nextstep.
Select
.Network
Interfaces
Confirm that the link is up on the ports that youwant to use.
Select the interface and set
InterfaceType
toHA
.Set the
Link Speed
andLinkDuplex
settings, as appropriate.
Enable active/active HA and set the group ID.
In
,edit Setup.Device
High Availability
General
Select
Enable HA
.Enter a
Group ID
, which mustbe the same for both firewalls. The firewall uses the Group ID tocalculate the virtual MAC address (range is 1-63).(
Optional
) Enter a
Description
.For
Mode
, selectActiveActive
.
Set theDevice ID, enable synchronization, and identify the control linkon the peer firewall
In
,edit Setup.Device
High Availability
General
Select
Device ID
as follows:When configuring the first peer, set the
DeviceID
to .When configuring the second peer, set the
DeviceID
to1
.
Select
Enable Config Sync
.This setting is required to synchronize the two firewall configurations(enabled by default).Enter the
Peer HA1 IP Address
,which is the IP address of the HA1 control link on the peer firewall.(
Optional
) Enter a
Backup PeerHA1 IP Address
, which is the IP address of the backupcontrol link on the peer firewall.Click
OK
.
Determinewhether or not the firewall with the lower Device ID preempts theactive-primary firewall upon recovery from a failure.
In
,edit Election Settings.Device
High Availability
General
Select
Preemptive
to causethe firewall with the lower Device ID to automatically resume active-primaryoperation after either firewall recovers from a failure. Both firewallsmust havePreemptive
selected for preemptionto occur.Leave
Preemptive
unselected if youwant the active-primary role to remain with the current firewalluntil you manually make the recovered firewall the active-primaryfirewall.
Enableheartbeat backup if your control link uses a dedicated HA port oran in-band port.
You need not enable heartbeat backup if you are using themanagement port for the control link.
In
,edit Election Settings.Device
High Availability
General
Select
Heartbeat Backup
.To allow the heartbeats to be transmitted between the firewalls,you must verify that the management port across both peers can routeto each other.
Enabling heartbeatbackup allows you to prevent a split-brain situation. Split brainoccurs when the HA1 link goes down, causing the firewall to missheartbeats, although the firewall is still functioning. In sucha situation, each peer believes the other is down and attempts tostart services that are running, thereby causing a split brain.Enabling heartbeat backup prevents split brain because redundantheartbeats and hello messages are transmitted over the managementport.
(
Optional
) Modify the HATimers.
By default, the HA timer profile is set to the
Recommended
profileand is suited for most HA deployments.In
,edit Election Settings.Device
High Availability
General
Select
Aggressive
to triggerfaster failover. SelectAdvanced
to definecustom values for triggering failover in your setup.To view the preset value for an individualtimer included in a profile, select
Advanced
andclickLoad Recommended
orLoadAggressive
. The preset values for your hardware modelwill be displayed on screen.
Set up the control link connection.
This example uses an in-band port that is set to interfacetype HA.
For firewalls that use the management port as thecontrol link, the IP address information is automatically pre-populated.
In
,edit Control Link (HA1).Device
High Availability
General
Select the
Port
that you havecabled for use as the HA1 link.Set the
IPv4/IPv6 Address
andNetmask
.If the HA1 interfaces are on separate subnets, enter theIP address of the
Gateway
. Do not add a gatewayaddress if the firewalls are directly connected.
(
Optional
) Enable encryption for the controllink connection.
This is typically used to secure the link if the two firewallsare not directly connected, that is if the ports are connected toa switch or a router.
Export the HA key from one firewall andimport it into the peer firewall.
Select
.Device
Certificate Management
Certificates
Select
Export HA key
. Save the HAkey to a network location that the peer can access.On the peer firewall, select
,and selectDevice
Certificate Management
Certificates
Import HA key
to browse to thelocation that you saved the key and import it in to the peer.
In
,edit the Control Link (HA1).Device
HighAvailability
General
Select
Encryption Enabled
.If you enable encryption, after you finish configuringthe HA firewalls, you can Refresh HA1 SSH Keys and Configure Key Options.
Set up the backup control link connection.
In
,edit Control Link (HA1 Backup).Device
High Availability
General
Select the HA1 backup interface and set the
IPv4/IPv6Address
andNetmask
.PA-3200 Series firewalls don’t support an IPv6 addressfor the HA1 backup control link; use an IPv4 address.
Set up the data link connection (HA2) and the backupHA2 connection between the firewalls.
In
,edit Data Link (HA2).Device
High Availability
General
Select the
Port
to use forthe data link connection.Select the
Transport
method.The default isethernet
, and will work whenthe HA pair is connected directly or through a switch. If you needto route the data link traffic through the network, selectIP
orUDP
asthe transport mode.If you use IP or UDP as the transport method, enterthe
IPv4/IPv6 Address
andNetmask
.Verify that
Enable Session Synchronization
isselected.Select
HA2 Keep-alive
to enablemonitoring on the HA2 data link between the HA peers. If a failureoccurs based on the threshold that is set (default is 10000 ms),the defined action will occur. When an HA2 Keep-alive failure occurs,the system either generates a critical system log message or causesa split dataplane depending on your configuration.You can configure the HA2 Keep-alive option on bothfirewalls, or just one firewall in the HA pair. If the option isonly enabled on one firewall, only that firewall sends the Keep-alivemessages. The other firewall is notified if a failure occurs.
A split dataplane causes the dataplanes of both peersto operate independently while leaving the high-available stateas Active-Primary and Active-Secondary. If only one firewall isconfigured to split dataplane, then split dataplane applies to theother device as well.
Edit the
Data Link (HA2 Backup)
section,select the interface, and add theIPv4/IPv6 Address
andNetmask
.Click
OK
.
Configure the HA3 link for packet forwarding.
In
,edit Packet Forwarding.Device
High Availability
Active/Active Config
For
HA3 Interface
, select theinterface you want to use to forward packets between active/activeHA peers. It must be a dedicated interface capable of Layer 2 transportand set toInterface Type HA
.Select
VR Sync
to force synchronizationof all virtual routers configured on the HA peers. Select when thevirtual router is not configured for dynamic routing protocols.Both peers must be connected to the same next-hop router througha switched network and must use static routing only.Select
QoS Sync
to synchronizethe QoS profile selection on all physical interfaces. Select whenboth peers have similar link speeds and require the same QoS profileson all physical interfaces. This setting affects the synchronizationof QoS settings on theNetwork
tab. QoS policyis synchronized regardless of this setting.
(
Optional
)Modify the Tentative Hold time.
In
,edit Packet Forwarding.Device
High Availability
Active/Active Config
For
Tentative Hold Time (sec)
,enter the number of seconds that a firewall stays in Tentative stateafter it recovers post-failure (range is 10-600, default is 60).
Configure SessionOwner and SessionSetup.
In
,edit Packet Forwarding.Device
High Availability
Active/Active Config
For
Session Owner Selection
,select one of the following:First Packet
—The firewallthat receives the first packet of a new session is the session owner(recommended setting). This setting minimizes traffic across HA3and load shares traffic across peers.Primary Device
—The firewall that isin active-primary state is the session owner.
For
Session Setup
, select oneof the following:IP Modulo
—The firewall performsan XOR operation on the source and destination IP addresses from thepacket and based on the result, the firewall chooses which HA peerwill set up the session.Primary Device
—The active-primaryfirewall sets up all sessions.First Packet
—The firewall that receivesthe first packet of a new session performs session setup (recommended setting).Start with First Packet for Session Ownerand Session Setup, and then based on load distribution, you canchange to one of the other options.
IP Hash
—The firewall uses a hash ofeither the source IP address or a combination of the source anddestination IP addresses to distribute session setup responsibilities.
Click
OK
.
Configure an HA virtual address.
You need a virtual address to use a FloatingIP Address and Virtual MAC Address or ARPLoad-Sharing.
In
,Device
High Availability
Active/Active Config
Add
aVirtual Address.Enter or select an
Interface
.Select the
IPv4
orIPv6
taband clickAdd
.Enter an
IPv4 Address
orIPv6Address
.For
Type
:Select
Floating
to configurethe virtual IP address to be a floating IP address.Select
ARP Load Sharing
to configurethe virtual IP address to be a shared IP address and skip to ConfigureARP Load-Sharing.
Configure the floating IP address.
Do not select
Floating IP boundto the Active-Primary device
unless you want the active/active HApair to behave like an active/passive HA pair.For
Device 0 Priority
andDevice1 Priority
, enter a priority for the firewall configured withDevice ID 0 and Device ID 1, respectively. The relative prioritiesdetermine which peer owns the floating IP address you just configured(range is 0-255). The firewall with the lowest priority value (highestpriority) owns the floating IP address.Select
Failover address if link state isdown
to cause the firewall to use the failover addresswhen the link state on the interface is down.Click
OK
.
Configure ARPLoad-Sharing.
The device selection algorithm determines which HA firewallresponds to the ARP requests to provide load sharing.
For
Device Selection Algorithm
,select one of the following:IP Modulo
—The firewall thatwill respond to ARP requests is based on the parity of the ARP requester's IPaddress.IP Hash
—The firewall that will respondto ARP requests is based on a hash of the ARP requester's IP address.
Click
OK
.
DefineHA Failover Conditions.
Commit
the configuration.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}