Device Priority and Preemption
Focus
Focus
CN-Series

Device Priority and Preemption

Table of Contents

Device Priority and Preemption

Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
    deployment
  • CN-Series 10.2.x or above Container Images
  • Panorama
    running PAN-OS 10.2.x or above version
  • Helm 3.6 or above version client
    for CN-Series deployment with Helm
The devices in an HA pair can be assigned a device priority value to indicate a preference for which device should assume the active role and manage traffic upon failover. If you need to use a specific device in the HA pair for actively securing traffic, you must enable the preemptive behavior on both the firewalls and assign a device priority value for each device. The device with the lower numerical value, and therefore higher priority, is designated as active and manages all traffic on the network. The other device is in a passive state, and synchronizes configuration and state information with the active device so that it is ready to transition to an active state should a failure occur.
The lower numeric value becomes active during first deployment. If the higher numeric value is deployed first and preemption is disabled, then the higher numeric value will become active.
Preemption is not recommended for HA in the CN-Series firewall on AWS.
By default, preemption is disabled on the firewalls. When enabled, the preemptive behavior allows the firewall with the higher priority (lower numerical value) to resume as active after it recovers from a failure. When preemption occurs, the event is logged in the system logs.
To add priority, you should ensure that the parameter value
PAN_HA_PRIORITY
is set to a numeric value in
pan-cn-mgmt-configmap-0.yaml
and
pan-cn-mgmt-configmap-1.yaml
files.
For example:
PAN_HA_PRIORITY: “10”

Recommended For You