Configure Active/Active HA (2024)

Configure Active/Active HA

Updated on

Apr 19, 2024

Focus

Download PDF

Updated on

Apr 19, 2024

Focus

Home
PAN-OS
High Availability
SetUp Active/Active HA
Configure Active/Active HA

Download PDF

Table of Contents

Previous Prerequisites for Active/Active HA

Next Determine Your Active/Active Use Case

The following procedure describes the basicworkflow for configuring your firewalls in an active/active configuration.However, before you begin, DetermineYour Active/Active Use Case for configuration examples moretailored to your specific network environment.

You can configure data ports as both dedicated HA interfaces and as dedicated backup HA interfaces, and is required for firewalls without dedicated HA interfaces.

Data ports configured as HA1, HA2, or HA3 interfaces can be connected directly to each HA interface on the firewall or connected through a Layer2 switch. For data ports configured as an HA3 interface, you must enable jumbo frames as HA3 messages exceed 1,500 bytes.

To configure active/active, first complete thefollowing steps on one peer and then complete them on the secondpeer, ensuring that you set the Device ID to different values (0or 1) on each peer.

Connectthe HA ports to set up a physical connection between the firewalls.

For each use case, the firewalls could be any hardwaremodel; choose the HA3 step that corresponds with your model.

For firewalls with dedicated HA ports, use an Ethernet cableto connect the dedicated HA1 ports and the HA2 ports on peers. Usea crossover cable if the peers are directly connected to each other.

For firewalls without dedicated HA ports, select two data interfacesfor the HA2 link and the backup HA1 link. Then, use an Ethernetcable to connect these in-band HA interfaces across both firewalls.Use the management port for the HA1 link and ensure that the managementports can connect to each other across your network.

For HA3:

On PA-7000 Series firewalls, connectthe High Speed Chassis Interconnect (HSCI-A) on the first chassisto the HSCI-A on the second chassis, and the HSCI-B on the firstchassis to the HSCI-B on the second chassis.

On PA-5200 Series firewalls (which have one HSCI port), connectthe HSCI port on the first chassis to the HSCI port on the secondchassis. You can also use data ports for HA3 on PA-5200 Series firewalls.

On PA-3200 Series firewalls (which have one HSCI port), connectthe HSCI port on the first chassis to the HSCI port on the secondchassis.

On any other hardware model, use dataplane interfaces for HA3.

Enable ping on the management port.

Enabling ping allows the management port to exchange heartbeatbackup information.

Device

Setup

Management

,edit Management Interface Settings.

Select

Ping

as a service thatis permitted on the interface.

If thefirewall does not have dedicated HA ports, set up the data portsto function as HA ports.

For firewalls with dedicated HA ports continue to the nextstep.

Select

Network

Interfaces

Confirm that the link is up on the ports that youwant to use.

Select the interface and set

InterfaceType

Set the

Link Speed

and

LinkDuplex

settings, as appropriate.

Enable active/active HA and set the group ID.

Device

High Availability

General

,edit Setup.

Select

Enable HA

Enter a

Group ID

, which mustbe the same for both firewalls. The firewall uses the Group ID tocalculate the virtual MAC address (range is 1-63).

(

Optional

) Enter a

Description

For

Mode

, select

ActiveActive

Set theDevice ID, enable synchronization, and identify the control linkon the peer firewall

Device

High Availability

General

,edit Setup.

Select

Device ID

as follows:

When configuring the first peer, set the

DeviceID

to .

,edit the Control Link (HA1).

Select

Encryption Enabled

If you enable encryption, after you finish configuringthe HA firewalls, you can Refresh HA1 SSH Keys and Configure Key Options.

Set up the backup control link connection.

Device

High Availability

General

,edit Control Link (HA1 Backup).

Select the HA1 backup interface and set the

IPv4/IPv6Address

and

Netmask

PA-3200 Series firewalls don’t support an IPv6 addressfor the HA1 backup control link; use an IPv4 address.

Set up the data link connection (HA2) and the backupHA2 connection between the firewalls.

Device

High Availability

General

,edit Data Link (HA2).

Select the

Port

to use forthe data link connection.

Select the

Transport

method.The default is

ethernet

, and will work whenthe HA pair is connected directly or through a switch. If you needto route the data link traffic through the network, select

UDP

asthe transport mode.

If you use IP or UDP as the transport method, enterthe

IPv4/IPv6 Address

and

Netmask

Verify that

Enable Session Synchronization

isselected.

Select

HA2 Keep-alive

to enablemonitoring on the HA2 data link between the HA peers. If a failureoccurs based on the threshold that is set (default is 10000 ms),the defined action will occur. When an HA2 Keep-alive failure occurs,the system either generates a critical system log message or causesa split dataplane depending on your configuration.

You can configure the HA2 Keep-alive option on bothfirewalls, or just one firewall in the HA pair. If the option isonly enabled on one firewall, only that firewall sends the Keep-alivemessages. The other firewall is notified if a failure occurs.

A split dataplane causes the dataplanes of both peersto operate independently while leaving the high-available stateas Active-Primary and Active-Secondary. If only one firewall isconfigured to split dataplane, then split dataplane applies to theother device as well.

Edit the

Data Link (HA2 Backup)

section,select the interface, and add the

IPv4/IPv6 Address

and

Netmask

Click

Configure the HA3 link for packet forwarding.

Device

High Availability

Active/Active Config

,edit Packet Forwarding.

For

HA3 Interface

, select theinterface you want to use to forward packets between active/activeHA peers. It must be a dedicated interface capable of Layer 2 transportand set to

Interface Type HA

Select

VR Sync

to force synchronizationof all virtual routers configured on the HA peers. Select when thevirtual router is not configured for dynamic routing protocols.Both peers must be connected to the same next-hop router througha switched network and must use static routing only.

Select

QoS Sync

to synchronizethe QoS profile selection on all physical interfaces. Select whenboth peers have similar link speeds and require the same QoS profileson all physical interfaces. This setting affects the synchronizationof QoS settings on the

Network

tab. QoS policyis synchronized regardless of this setting.

(

Optional

)Modify the Tentative Hold time.

Device

High Availability

Active/Active Config

,edit Packet Forwarding.

For

Tentative Hold Time (sec)

,enter the number of seconds that a firewall stays in Tentative stateafter it recovers post-failure (range is 10-600, default is 60).

Configure SessionOwner and SessionSetup.

Device

High Availability

Active/Active Config

,edit Packet Forwarding.

For

Session Owner Selection

,select one of the following:

First Packet

—The firewallthat receives the first packet of a new session is the session owner(recommended setting). This setting minimizes traffic across HA3and load shares traffic across peers.

Primary Device

—The firewall that isin active-primary state is the session owner.

For

Session Setup

, select oneof the following:

IP Modulo

—The firewall performsan XOR operation on the source and destination IP addresses from thepacket and based on the result, the firewall chooses which HA peerwill set up the session.

Primary Device

—The active-primaryfirewall sets up all sessions.

First Packet

—The firewall that receivesthe first packet of a new session performs session setup (recommended setting).

Start with First Packet for Session Ownerand Session Setup, and then based on load distribution, you canchange to one of the other options.

IP Hash

—The firewall uses a hash ofeither the source IP address or a combination of the source anddestination IP addresses to distribute session setup responsibilities.

Click

Configure an HA virtual address.

You need a virtual address to use a FloatingIP Address and Virtual MAC Address or ARPLoad-Sharing.

Device

High Availability

Active/Active Config

Add

aVirtual Address.

Enter or select an

Interface

Select the

IPv4

IPv6

taband click

Add

Enter an

IPv4 Address

IPv6Address

For

Type

Select

Floating

to configurethe virtual IP address to be a floating IP address.

Select

ARP Load Sharing

to configurethe virtual IP address to be a shared IP address and skip to ConfigureARP Load-Sharing.

Configure the floating IP address.

Do not select

Floating IP boundto the Active-Primary device

unless you want the active/active HApair to behave like an active/passive HA pair.

For

Device 0 Priority

and

Device1 Priority

, enter a priority for the firewall configured withDevice ID 0 and Device ID 1, respectively. The relative prioritiesdetermine which peer owns the floating IP address you just configured(range is 0-255). The firewall with the lowest priority value (highestpriority) owns the floating IP address.

Select

Failover address if link state isdown

to cause the firewall to use the failover addresswhen the link state on the interface is down.

Click

Configure ARPLoad-Sharing.

The device selection algorithm determines which HA firewallresponds to the ARP requests to provide load sharing.

For

Device Selection Algorithm

,select one of the following:

IP Modulo

—The firewall thatwill respond to ARP requests is based on the parity of the ARP requester's IPaddress.

IP Hash

—The firewall that will respondto ARP requests is based on a hash of the ARP requester's IP address.

Click

DefineHA Failover Conditions.

Commit

the configuration.

"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)

Previous Prerequisites for Active/Active HA

Next Determine Your Active/Active Use Case

Recommended For You

{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}

{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}

{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}

{{ } else { }}

{{ } }} {{ } else { }}

{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}

{{ } else if (raw.objecttype == "Knowledge") { }}

{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}

{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}

{{ } else { }}

{{ } }} {{ } }}

{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}

{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

{{ } else { }}

{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}

{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}

{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

Configure Active/Active HA (2024)

Recommended For You

References