Device Priority and Preemption
Learn how Palo Alto Networks NGFWs use device priority and preemption to assign HA
roles.
Where Can I Use This? | What Do I Need? |
- NGFW (Managed by Strata Cloud Manager)
- NGFW (Managed by PAN-OS or Panorama)
|
For Strata Cloud Manager managed NGFWs:
|
In high-availability (HA) firewall pairs, device priority and preemption work together to
determine which firewall acts as the primary, or active, unit. These settings are
crucial for managing failover behavior and ensuring consistent traffic flow
The firewalls in an Active-Passive HA pair can be assigned a
device priority value
to indicate a preference for which firewall should assume the active role. If you need
to use a specific firewall in the HA pair for actively securing traffic, you must enable
the preemptive behavior on both the firewalls and assign a device priority value for
each firewall. The firewall with the lower numerical value, and therefore
higher
priority, is designated as active. The other firewall is the passive
firewall. When both firewalls are healthy and online, the one with the highest priority
will assume the active role. If both firewalls have the same priority, other factors
like the MAC address of the HA link may be used as a tie-breaker.
The same is true for an Active-Active HA pair; however, the
device
ID is used to assign a device priority value. Similarly,
the lower numerical value in device ID corresponds to a higher priority.
The firewall with the higher priority becomes active-primary and
the paired firewall becomes active-secondary.
By default, preemption is disabled on the firewalls and must
be enabled on both firewalls. When enabled, the preemptive behavior
allows the firewall with the
higher priority (lower
numerical value) to resume as active or active-primary after it
recovers from a failure. When preemption occurs, the event is logged
in the system logs.