HA Active/Active Config (2024)

Table of Contents
HA Active/Active Config Recommended For You References

Updated on

Fri Apr 19 00:13:28 UTC 2024

Focus

  1. Home
  2. PAN-OS
  3. PAN-OS Web Interface Help
  4. Device
  5. Device > High Availability
  6. HA Active/Active Config

Download PDF

HA Active/Active Config

Table of Contents

Configure settings for a firewall in HA active/activemode.

  • Device > High Availability > Active/Active Config

To configure settings for an Active/Active HApair, select

Device

HighAvailability

Active/Active Config

.

Active/Active Config Settings

Description

Packet Forwarding

Enable

peers to forwardpackets over the HA3 link for session setup and for Layer 7 inspection(App-ID, Content-ID, and threat inspection) of asymmetrically routedsessions.

HA3 Interface

Select the data interface you plan to useto forward packets between active/active HA peers. The interfaceyou use must be a dedicated Layer 2 interface set to Interface Type

HA

.

Ifthe HA3 link fails, the active-secondary peer will transition tothe non-functional state.To prevent this condition, configure a LinkAggregation Group (LAG) interface with two or more physical interfaces asthe HA3 link. The firewall does not support an HA3 Backup link.An aggregate interface with multiple interfaces will provide additionalcapacity and link redundancy to support packet forwarding betweenHA peers.

You must enable jumbo frames on allintermediary networking devices when using the HA3 interface.

VR Sync

Force synchronization of all virtual routersconfigured on the HA peers.

Use this option when the virtualrouter is not configured for dynamic routing protocols. Both peersmust be connected to the same next-hop router through a switchednetwork and must use static routing only.

QoS Sync

Synchronize the QoS profile selection onall physical interfaces. Use this option when both peers have similarlink speeds and require the same QoS profiles on all physical interfaces.This setting affects the synchronization of QoS settings on the

Network

tab.QoS policy is synchronized regardless of this setting.

Tentative Hold Time (sec)

When a firewall in an HA active/active configurationfails, it will go into a tentative state. The transition from tentativestate to active-secondary state triggers the Tentative Hold Time,during which the firewall attempts to build routing adjacenciesand populate its route table before it will process any packets.Without this timer, the recovering firewall would enter the active-secondarystate immediately and would silently discard packets because itwould not have the necessary routes (default is 60 seconds).

Session Owner Selection

The session owner is responsible for allLayer 7 inspection (App-ID and Content-ID) for the session and forgenerating all Traffic logs for the session. Select one of the followingoptions to specify how to determine the session owner for a packet:

  • First packet

    —Select this option todesignate the firewall that receives the first packet in a session asthe session owner. This is the best practice configuration to minimize trafficacross HA3 and distribute the dataplane load across peers.

  • Primary Device

    —Select this option ifyou want the active-primary firewall to own all sessions. In thiscase, if the active-secondary firewall receives the first packet,it will forward all packets requiring Layer 7 inspection to theactive-primary firewall over the HA3 link.

Virtual Address

Click

Add

, selectthe

IPv4

 or

IPv6

 taband then click

Add

 again to enter optionsto specify the type of HA virtual address to use: Floating or ARPLoad Sharing. You can also mix the type of virtual address typesin the pair. For example, you could use ARP load sharing on theLAN interface and a Floating IP on the WAN interface.

  • Floating

    —Enteran IP address that will move between HA peers in the event of alink or system failure. Configure two floating IP addresses on theinterface, so that each firewall will own one and then set the priority.If either firewall fails, the floating IP address transitions tothe HA peer.

    • Device 0 Priority

      —Set thepriority for the firewall with Device ID 0 to determine which firewall willown the floating IP address. A firewall with the lowest value will havethe highest priority.

    • Device 1 Priority

      —Set the priorityfor the firewall with Device ID 1 to determine which firewall will ownthe floating IP address. A firewall with the lowest value will have thehighest priority.

    • Failover address if link state is down

      —Usethe failover address when the link state is down on the interface.

    • Floating IP bound to the Active-Primary HA device

      —Selectthis option to bind the floating IP address to the active-primarypeer. In the event one peer fails, traffic is sent continuouslyto the active-primary peer even after the failed firewall recoversand becomes the active-secondary peer.

Virtual Address (cont)

  • ARP Load Sharing

    —Enter anIP address that will be shared by the HA pair and provide gateway servicesfor hosts. This option is only required if the firewall is on thesame broadcast domain as the hosts. Select the

    DeviceSelection Algorithm

    :

    • IP Modulo

      —Selectthe firewall that will respond to ARP requests based on the parityof the ARP requesters IP address.

    • IP Hash

      —Select the firewall that willrespond to ARP requests based on a hash of the ARP requesters IP address.
See Also
Configure Active/Active HAUse Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary FirewallConfigure Active/Passive HAPrerequisites for Active/Active HA

"); adBlockNotification.append($("Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.")); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function(e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function(e) { adBlockNotification.removeClass('open'); }) } }, 5000)

Previous HA Link and Path Monitoring
Next Cluster Config

Recommended For You

{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}

{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}

{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}

{{ } else { }}

{{ } }} {{ } else { }}

{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}

{{ } else if (raw.objecttype == "Knowledge") { }}

{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}

{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}

{{ } else { }}

{{ } }} {{ } }}

{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}

{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

{{ } else { }}

{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

{{ } }}

{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}

{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}

{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}

{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}

{{ } }}

See Also
Configuration Guidelines for Active/Passive HA

© 2024 Palo Alto Networks, Inc. All rights reserved.

HA Active/Active Config (2024)

References

Top Articles
Top 10 Best Bernedoodle Breeders in Ohio (OH)
8 Best Bernedoodle Breeders in Ohio (2023)
Summer Music Festivals 2024:  How to Get Tickets to Summerfest, Lollapalooza, Essence Festival & More
Fade Factory Turlock
part time English-speaking jobs in Germany
Jobs in Grevenbroich | Randstad
How Do I Find Current Price of Gas at Costco Near Me? | CostContessa
King Charles’ childhood items up for auction could fetch thousands: ‘Touching collection’
India’s ‘Kalki 2898 AD’ Cruises Past Massive Global Box Office Milestone
Top 30 Best Sims 4 Baddie CC
Craigslist Santa Barbra
Medical Receptionist Hourly Salary
Latest Posts
Smartstyle Central Square Ny
Best Bernedoodle Breeders in Ohio - Top 6 Picks! (2024) - We Love Doodles
Article information

Author: Terrell Hackett

Last Updated:

Views: 6009

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Terrell Hackett

Birthday: 1992-03-17

Address: Suite 453 459 Gibson Squares, East Adriane, AK 71925-5692

Phone: +21811810803470

Job: Chief Representative

Hobby: Board games, Rock climbing, Ghost hunting, Origami, Kabaddi, Mushroom hunting, Gaming

Introduction: My name is Terrell Hackett, I am a gleaming, brainy, courageous, helpful, healthy, cooperative, graceful person who loves writing and wants to share my knowledge and understanding with you.