>
    HA Overview
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. High Availability
    4. HA Overview
    Download PDF
    Next-Generation Firewall

    HA Overview

    Table of Contents

    HA Overview

    Learn more about high availability (HA) for your managed firewalls in Strata Cloud Manager.
    Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • VM-Series, funded with Software NGFW Credits
    • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    You can configure two Palo Alto Networks firewalls as an HA pair. HA allows you to minimize downtime by making sure that an alternate firewall is available in the event that a peer firewall fails. The firewalls in an HA pair use dedicated or in-band HA ports on the firewall to synchronize data—network, object, and policy rule configurations—and to maintain state information. Firewall-specific configuration such as management interface IP address or administrator profiles, HA-specific configuration, log data, and the Application Command Center (ACC) information isn’t shared between peers. After you set up HA for your managed firewalls, you can use Strata Cloud Manager for a consolidated application and log view across an HA pair.

    HA Mode

    You can set up your managed firewalls in an HA pair in an active/passive configuration. In an active/passive HA configuration, one firewall actively manages traffic while the other is synchronized and ready to transition to the active state should a failover occur. In this mode, both firewalls share the same configuration settings, and one actively manages traffic until a path, link, system, or network failure occurs. When the active firewall fails, the passive firewall transitions to the active state and takes over to enforce the same policy rules to maintain network security. Active/passive HA is supported in Layer 2 and Layer 3 deployments.

    Device Priority and Preemption

    Managed firewalls in an Active/Pasive HA configuration can be assigned a device priority to indicate a preference for which firewall should assume the active role. If you need to use a specific firewall in the HA pair for actively securing traffic, you must enable the preemptive behavior on both the firewalls and assign a device priority value for each firewall. The HA peer with the lower numerical value, and therefore higher priority, is designated as active. The other HA peer is passive.
    By default, preemption is disabled on the firewalls and must be enabled on both firewalls. When enabled, the preemptive behavior allows the firewall with the higher priority (lower numerical value) to resume as active after it recovers from a failure. When preemption occurs, the event generates a system log.

    Failover

    A failover is when a failure occurs on the active HA peer and the passive HA peer takes over securing traffic. The metrics that the firewall monitors to detect and trigger a failover are:
    • Heartbeat Polling and Hello Messages
      The HA peers use hello messages and heartbeats to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is 1,000 milliseconds. A ping is sent every 1,000 milliseconds and if there are three consecutive heartbeat losses, a failover occurs.
    • Link Monitoring
      You can specify a group of physical interfaces that the firewall will monitor and the firewall monitors the state of each link in the group (link up or link down). You determine the failure condition for the link group: Any link down or All links down in the group constitutes a link group failure, but not necessarily a failover.
      You can create multiple link groups. Therefore, you also determine the failure condition of the set of link groups: Any link group fails or All link group fails, which determines when a failover is triggered. The default behavior is that failure of Any link in Any link group causes the firewall to change the HA state to non-functional to indicate the failure of a monitored object.
    • Path Monitoring
      You can specify a destination IP group of IP address that the firewall will monitor. The firewall monitors the full path through the network to mission-critical IP addresses using ICMP pings to verify reachability of the IP address. The default interval for pings is 200 ms. An IP address is considered unreachable when 10 consecutive pings (the default value) fail. You specify the failure condition for the IP addresses in a destination IP group: Any IP address unreachable or All IP addresses unreachable in the group. You can specify multiple destination IP groups for a path group for a virtual wire, VLAN, or logical router; you specify the failure condition of destination IP groups in a path group: Any or All, which constitutes a path group failure. You can configure multiple virtual wire path groups, VLAN path groups, and logical router path groups.
      You also determine the global failure condition: Any path group fails or All path groups fail, which determines when a failover is triggered. The default behavior is that Any one of the IP addresses becoming unreachable in Any destination IP group in Any VLAN or logical router path group causes the firewall to change the HA state to non-functional to indicate a failure of a monitored object.

    © 2024 Palo Alto Networks, Inc. All rights reserved.