Configure Active/Passive HA (2024)

Connect the HA ports to set up a physical connectionbetween the firewalls.

For firewalls with dedicated HA ports, use an Ethernetcable to connect the dedicated HA1 ports and the HA2 ports on peers.Use a crossover cable if the peers are directly connected to eachother.

For firewalls without dedicated HA ports, select two data interfacesfor the HA2 link and the backup HA1 link. Then, use an Ethernetcable to connect these in-band HA interfaces across both firewalls.

Usethe management port for the HA1 link and ensure that the managementports can connect to each other across your network.

Enable ping on the management port.

Enabling ping allows the management port to exchange heartbeatbackup information.

Select

Device

Setup

Management

andedit the Management Interface Settings.

Select

Ping

as a service thatis permitted on the interface.

If the firewall does not have dedicated HA ports, setup the data ports to function as HA ports.

For firewalls with dedicated HA ports continue to the nextstep.

Select

Network

Interfaces

.

Confirm that the link is up on the ports that youwant to use.

Select the interface and set

InterfaceType

to

HA

.

Set the

Link Speed

and

LinkDuplex

settings, as appropriate.

Set the HA mode and group ID.

Select

Device

High Availability

General

andedit the Setup section.

Set a

Group ID

and optionallya

Description

for the pair. The Group IDuniquely identifies each HA pair on your network. If you have multipleHA pairs that share the same broadcast domain you must set a uniqueGroup ID for each pair.

Set the mode to

Active Passive

.

Set up the control link connection.

This example shows an in-band port that is set to interfacetype HA.

For firewalls that use the management port as thecontrol link, the IP address information is automatically pre-populated.

In

Device

High Availability

General

,edit the Control Link (HA1) section.

Select the

Port

that you havecabled for use as the HA1 link.

Set the

IPv4/IPv6 Address

and

Netmask

.

If the HA1 interfaces are on separate subnets, enter theIP address of the

Gateway

. Do not add a gatewayaddress if the firewalls are directly connected or are on the sameVLAN.

(

Optional

) Enable encryption for the controllink connection.

See Also

Configure Active/Active HAUse Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary FirewallPrerequisites for Active/Active HAHA Active/Active Config

This is typically used to secure the link if the two firewallsare not directly connected, that is if the ports are connected to aswitch or a router.

Export the HA key from one firewall andimport it into the peer firewall.

Select

Device

Certificate Management

Certificates

.

Select

Export HA key

. Save the HAkey to a network location that the peer can access.

On the peer firewall, select

Device

Certificate Management

Certificates

,and select

Import HA key

to browse to thelocation that you saved the key and import it in to the peer.

Repeat this process on the second firewall to exchange HAkeys on both devices.

Select

Device

High Availability

General

,edit the Control Link (HA1) section.

Select

Encryption Enabled

.

If you enable encryption, after you finish configuringthe HA firewalls, you can Refresh HA1 SSH Keys and Configure Key Options.

Set up the backup control link connection.

In

Device

High Availability

General

,edit the Control Link (HA1 Backup) section.

Select the HA1 backup interface and set the

IPv4/IPv6Address

and

Netmask

.

PA-3200 Series firewalls don’t support an IPv6 addressfor the HA1 backup control link; use an IPv4 address.

Set up the data link connection (HA2) and the backupHA2 connection between the firewalls.

In

Device

High Availability

General

,edit the Data Link (HA2) section.

Select the

Port

to use forthe data link connection.

Select the

Transport

method.The default is

ethernet

, and will work whenthe HA pair is connected directly or through a switch. If you needto route the data link traffic through the network, select

IP

or

UDP

asthe transport mode.

If you use IP or UDP as the transport method, enterthe

IPv4/IPv6 Address

and

Netmask

.

Verify that

Enable Session Synchronization

isselected.

Select

HA2 Keep-alive

to enablemonitoring on the HA2 data link between the HA peers. If a failureoccurs based on the threshold that is set (default is 10000 ms),the defined action will occur. For active/passive configuration,a critical system log message is generated when an HA2 keep-alivefailure occurs.

You can configure the HA2 keep-alive option on bothfirewalls, or just one firewall in the HA pair. If the option isonly enabled on one firewall, only that firewall will send the keep-alivemessages. The other firewall will be notified if a failure occurs.

Edit the

Data Link (HA2 Backup)

section,select the interface, and add the

IPv4/IPv6 Address

and

Netmask

.

Enable heartbeat backup if your control link uses a dedicatedHA port or an in-band port.

You do not need to enable heartbeat backup if you are usingthe management port for the control link.

In

Device

High Availability

General

,edit the Election Settings.

Select

Heartbeat Backup

.

To allow the heartbeats to be transmitted between the firewalls,you must verify that the management port across both peers can routeto each other.

Enabling heartbeatbackup also allows you to prevent a split-brain situation. Splitbrain occurs when the HA1 link goes down causing the firewall tomiss heartbeats, although the firewall is still functioning. Insuch a situation, each peer believes that the other is down andattempts to start services that are running, thereby causing a split brain.When the heartbeat backup link is enabled, split brain is preventedbecause redundant heartbeats and hello messages are transmittedover the management port.

Set the device priority and enable preemption.

This setting is only required if you wish to make surethat a specific firewall is the preferred active firewall. For information, see DevicePriority and Preemption.

In

Device

High Availability

General

,edit the Election Settings.

Set the numerical value in

Device Priority

.Make sure to set a lower numerical value on the firewall that youwant to assign a higher priority to.

See Also

Configuration Guidelines for Active/Passive HA

If both firewalls have the same device priority value,the firewall with the lowest MAC address on the HA1 control linkwill become the active firewall.

Select

Preemptive

.

You must enable preemptive on both the active firewalland the passive firewall.

(

Optional

) Modify the HATimers.

By default, the HA timer profile is set to the

Recommended

profileand is suited for most HA deployments.

In

Device

High Availability

General

,edit the Election Settings.

Select the

Aggressive

profilefor triggering failover faster; select

Advanced

todefine custom values for triggering failover in your set up.

To view the preset value for an individual timerincluded in a profile, select

Advanced

andclick

Load Recommended

or

LoadAggressive

. The preset values for your hardware modelwill be displayed on screen.

(

Optional

)Modify the link status of the HA ports on the passive firewall.

The passive link state is

shutdown

,by default. After you enable HA, the link state for the HA portson the active firewall will be green and those on the passive firewallwill be down and display as red.

Setting the link stateto

Auto

allows for reducing the amount oftime it takes for the passive firewall to take over when a failoveroccurs and it allows you to monitor the link state.

To enablethe link status on the passive firewall to stay up and reflect thecabling status on the physical interface:

In

Device

High Availability

General

,edit the Active Passive Settings.

Set the

Passive Link State

to

Auto

.

The auto option decreases the amount of time it takes forthe passive firewall to take over when a failover occurs.

Althoughthe interface displays green (as cabled and up) it continues todiscard all traffic until a failover is triggered.

Whenyou modify the passive link state, make sure that the adjacent devicesdo not forward traffic to the passive firewall based only on thelink status of the firewall.

Enable HA.

Select

Device

High Availability

General

andedit the Setup section.

Select

Enable HA

.

Select

Enable Config Sync

.This setting enables the synchronization of the configuration settingsbetween the active and the passive firewall.

Enter the IP address assigned to the control linkof the peer in

Peer HA1 IP Address

.

For firewalls without dedicated HA ports, if the peer usesthe management port for the HA1 link, enter the management portIP address of the peer.

Enter the

Backup HA1 IP Address

.

(

Optional

)Enable LACPand LLDP Pre-Negotiation for Active/Passive HA for faster failoverif your network uses LACP or LLDP.

Enable LACP and LLDP before configuring HA pre-negotiation for the protocol if you want pre-negotiation to function in active mode.

Ensure that in Step 12 you set thelink state to

Auto

.

Select

Network

Interfaces

Ethernet

.

To enable LACP active pre-negotiation:

Select an AE interface ina Layer 2 or Layer 3 deployment.

Select the

LACP

tab.

Select

Enable in HA Passive State

.

Click

OK

.

You cannot alsoselect

Same System MAC Address for Active-Passive HA

becausepre-negotiation requires unique interface MAC addresses on the activeand passive firewalls.

To enable LACP passive pre-negotiation:

Select an Ethernet interfacein a virtual wire deployment.

Select the

Advanced

tab.

Select the

LACP

tab.

Select

Enable in HA Passive State

.

Click

OK

.

To enableLLDP active pre-negotiation:

Select an Ethernet interfacein a Layer 2, Layer 3, or virtual wire deployment.

Select the

Advanced

tab.

Select the

LLDP

tab.

Select

Enable in HA Passive State

.

Click

OK

.

If you wantto allow LLDP passive pre-negotiation for a virtual wire deployment,perform Step 14.e but donot enable LLDP itself.

Save your configuration changes.

Click

Commit

.

After you finish configuring both firewalls, verify thatthe firewalls are paired in active/passive HA.

Access the

Dashboard

onboth firewalls, and view the High Availability widget.

On the active firewall, click the

Syncto peer

link.

Confirm that the firewalls are paired and synced,as shown as follows:

On the passive firewall: the state of the localfirewall should display

passive

and the RunningConfig should show as

synchronized

.

On the active firewall: The state of the local firewall shoulddisplay

active

and the Running Config shouldshow as

synchronized

.

{{ } else { }}