Device Priority and Preemption
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- CN-Series 10.2.x or above Container Images
- Panorama running PAN-OS 10.2.x or above version
- Helm 3.6 or above version client for CN-Series deployment with Helm
|
The devices in an HA pair can be assigned a
device priority value
to indicate a preference for which device should assume the active
role and manage traffic upon failover. If you need to use a specific
device in the HA pair for actively securing traffic, you must enable
the preemptive behavior on both the firewalls and assign a device
priority value for each device. The device with the lower numerical
value, and therefore
higher priority, is designated
as active and manages all traffic on the network. The other device
is in a passive state, and synchronizes configuration and state
information with the active device so that it is ready to transition
to an active state should a failure occur.
The lower numeric value becomes active during first deployment.
If the higher numeric value is deployed first and preemption is
disabled, then the higher numeric value will become active.
Preemption
is not recommended for HA in the CN-Series firewall on AWS.
By default, preemption is disabled on the firewalls. When enabled,
the preemptive behavior allows the firewall with the
higher
priority (lower numerical value) to resume as active after
it recovers from a failure. When preemption occurs, the event is
logged in the system logs.
To add priority, you should ensure that the parameter value PAN_HA_PRIORITY is
set to a numeric value in pan-cn-mgmt-configmap-0.yaml and pan-cn-mgmt-configmap-1.yaml files.
For example:
PAN_HA_PRIORITY: “10”
