Configure Active/Passive HA
Updated on
Apr 19, 2024
Focus
Download PDF
Updated on
Apr 19, 2024
Focus
- Home
- PAN-OS
- High Availability
- SetUp Active/Passive HA
- Configure Active/Passive HA
Download PDF
Table of Contents
The following procedure shows how to configurea pair of firewalls in an active/passive deployment as depictedin the following example topology.
To configurean active/passive HA pair, first complete the following workflowon the first firewall and then repeat the steps on the second firewall.
Connect the HA ports to set up a physical connectionbetween the firewalls.
For firewalls with dedicated HA ports, use an Ethernetcable to connect the dedicated HA1 ports and the HA2 ports on peers.Use a crossover cable if the peers are directly connected to eachother.
For firewalls without dedicated HA ports, select two data interfacesfor the HA2 link and the backup HA1 link. Then, use an Ethernetcable to connect these in-band HA interfaces across both firewalls.
Usethe management port for the HA1 link and ensure that the managementports can connect to each other across your network.
Enable ping on the management port.
Enabling ping allows the management port to exchange heartbeatbackup information.
Select
andedit the Management Interface Settings.Device
Setup
Management
Select
Ping
as a service thatis permitted on the interface.
If the firewall does not have dedicated HA ports, setup the data ports to function as HA ports.
For firewalls with dedicated HA ports continue to the nextstep.
Select
.Network
Interfaces
Confirm that the link is up on the ports that youwant to use.
Select the interface and set
InterfaceType
toHA
.Set the
Link Speed
andLinkDuplex
settings, as appropriate.
Set the HA mode and group ID.
Select
andedit the Setup section.Device
High Availability
General
Set a
Group ID
and optionallyaDescription
for the pair. The Group IDuniquely identifies each HA pair on your network. If you have multipleHA pairs that share the same broadcast domain you must set a uniqueGroup ID for each pair.Set the mode to
Active Passive
.
Set up the control link connection.
This example shows an in-band port that is set to interfacetype HA.
For firewalls that use the management port as thecontrol link, the IP address information is automatically pre-populated.
In
,edit the Control Link (HA1) section.Device
High Availability
General
Select the
Port
that you havecabled for use as the HA1 link.Set the
IPv4/IPv6 Address
andNetmask
.If the HA1 interfaces are on separate subnets, enter theIP address of the
Gateway
. Do not add a gatewayaddress if the firewalls are directly connected or are on the sameVLAN.
(
Optional
) Enable encryption for the controllink connection.
This is typically used to secure the link if the two firewallsare not directly connected, that is if the ports are connected to aswitch or a router.
Export the HA key from one firewall andimport it into the peer firewall.
Select
.Device
Certificate Management
Certificates
Select
Export HA key
. Save the HAkey to a network location that the peer can access.On the peer firewall, select
,and selectDevice
Certificate Management
Certificates
Import HA key
to browse to thelocation that you saved the key and import it in to the peer.Repeat this process on the second firewall to exchange HAkeys on both devices.
Select
,edit the Control Link (HA1) section.Device
High Availability
General
Select
Encryption Enabled
.If you enable encryption, after you finish configuringthe HA firewalls, you can Refresh HA1 SSH Keys and Configure Key Options.
Set up the backup control link connection.
In
,edit the Control Link (HA1 Backup) section.Device
High Availability
General
Select the HA1 backup interface and set the
IPv4/IPv6Address
andNetmask
.PA-3200 Series firewalls don’t support an IPv6 addressfor the HA1 backup control link; use an IPv4 address.
Set up the data link connection (HA2) and the backupHA2 connection between the firewalls.
In
,edit the Data Link (HA2) section.Device
High Availability
General
Select the
Port
to use forthe data link connection.Select the
Transport
method.The default isethernet
, and will work whenthe HA pair is connected directly or through a switch. If you needto route the data link traffic through the network, selectIP
orUDP
asthe transport mode.If you use IP or UDP as the transport method, enterthe
IPv4/IPv6 Address
andNetmask
.Verify that
Enable Session Synchronization
isselected.Select
HA2 Keep-alive
to enablemonitoring on the HA2 data link between the HA peers. If a failureoccurs based on the threshold that is set (default is 10000 ms),the defined action will occur. For active/passive configuration,a critical system log message is generated when an HA2 keep-alivefailure occurs.You can configure the HA2 keep-alive option on bothfirewalls, or just one firewall in the HA pair. If the option isonly enabled on one firewall, only that firewall will send the keep-alivemessages. The other firewall will be notified if a failure occurs.
Edit the
Data Link (HA2 Backup)
section,select the interface, and add theIPv4/IPv6 Address
andNetmask
.
Enable heartbeat backup if your control link uses a dedicatedHA port or an in-band port.
You do not need to enable heartbeat backup if you are usingthe management port for the control link.
In
,edit the Election Settings.Device
High Availability
General
Select
Heartbeat Backup
.To allow the heartbeats to be transmitted between the firewalls,you must verify that the management port across both peers can routeto each other.
Enabling heartbeatbackup also allows you to prevent a split-brain situation. Splitbrain occurs when the HA1 link goes down causing the firewall tomiss heartbeats, although the firewall is still functioning. Insuch a situation, each peer believes that the other is down andattempts to start services that are running, thereby causing a split brain.When the heartbeat backup link is enabled, split brain is preventedbecause redundant heartbeats and hello messages are transmittedover the management port.
Set the device priority and enable preemption.
This setting is only required if you wish to make surethat a specific firewall is the preferred active firewall. For information, see DevicePriority and Preemption.
In
,edit the Election Settings.Device
High Availability
General
Set the numerical value in
Device Priority
.Make sure to set a lower numerical value on the firewall that youwant to assign a higher priority to.If both firewalls have the same device priority value,the firewall with the lowest MAC address on the HA1 control linkwill become the active firewall.
Select
Preemptive
.You must enable preemptive on both the active firewalland the passive firewall.
(
Optional
) Modify the HATimers.
By default, the HA timer profile is set to the
Recommended
profileand is suited for most HA deployments.In
,edit the Election Settings.Device
High Availability
General
Select the
Aggressive
profilefor triggering failover faster; selectAdvanced
todefine custom values for triggering failover in your set up.To view the preset value for an individual timerincluded in a profile, select
Advanced
andclickLoad Recommended
orLoadAggressive
. The preset values for your hardware modelwill be displayed on screen.
(
Optional
)Modify the link status of the HA ports on the passive firewall.
The passive link state is
shutdown
,by default. After you enable HA, the link state for the HA portson the active firewall will be green and those on the passive firewallwill be down and display as red.Setting the link stateto
Auto
allows for reducing the amount oftime it takes for the passive firewall to take over when a failoveroccurs and it allows you to monitor the link state.To enablethe link status on the passive firewall to stay up and reflect thecabling status on the physical interface:
In
,edit the Active Passive Settings.Device
High Availability
General
Set the
Passive Link State
toAuto
.The auto option decreases the amount of time it takes forthe passive firewall to take over when a failover occurs.
Althoughthe interface displays green (as cabled and up) it continues todiscard all traffic until a failover is triggered.
Whenyou modify the passive link state, make sure that the adjacent devicesdo not forward traffic to the passive firewall based only on thelink status of the firewall.
Enable HA.
Select
andedit the Setup section.Device
High Availability
General
Select
Enable HA
.Select
Enable Config Sync
.This setting enables the synchronization of the configuration settingsbetween the active and the passive firewall.Enter the IP address assigned to the control linkof the peer in
Peer HA1 IP Address
.For firewalls without dedicated HA ports, if the peer usesthe management port for the HA1 link, enter the management portIP address of the peer.
Enter the
Backup HA1 IP Address
.
(
Optional
)Enable LACPand LLDP Pre-Negotiation for Active/Passive HA for faster failoverif your network uses LACP or LLDP.
Enable LACP and LLDP before configuring HA pre-negotiation for the protocol if you want pre-negotiation to function in active mode.
Ensure that in Step 12 you set thelink state to
Auto
.Select
.Network
Interfaces
Ethernet
To enable LACP active pre-negotiation:
Select an AE interface ina Layer 2 or Layer 3 deployment.
Select the
LACP
tab.Select
Enable in HA Passive State
.Click
OK
.You cannot alsoselect
Same System MAC Address for Active-Passive HA
becausepre-negotiation requires unique interface MAC addresses on the activeand passive firewalls.
To enable LACP passive pre-negotiation:
Select an Ethernet interfacein a virtual wire deployment.
Select the
Advanced
tab.Select the
LACP
tab.Select
Enable in HA Passive State
.Click
OK
.
To enableLLDP active pre-negotiation:
Select an Ethernet interfacein a Layer 2, Layer 3, or virtual wire deployment.
Select the
Advanced
tab.Select the
LLDP
tab.Select
Enable in HA Passive State
.Click
OK
.If you wantto allow LLDP passive pre-negotiation for a virtual wire deployment,perform Step 14.e but donot enable LLDP itself.
Save your configuration changes.
Click
Commit
.After you finish configuring both firewalls, verify thatthe firewalls are paired in active/passive HA.
Access the
Dashboard
onboth firewalls, and view the High Availability widget.On the active firewall, click the
Syncto peer
link.Confirm that the firewalls are paired and synced,as shown as follows:
On the passive firewall: the state of the localfirewall should display
passive
and the RunningConfig should show assynchronized
.On the active firewall: The state of the local firewall shoulddisplay
active
and the Running Config shouldshow assynchronized
.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}