Next-Generation Firewall
HA Overview
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
HA Overview
Learn more about high availability (HA) for your managed firewalls in Strata Cloud Manager.
Contact your account team to enable Cloud Management for NGFWs using Strata
Cloud Manager.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
You can configure two Palo Alto Networks firewalls as an HA pair. HA allows you to
minimize downtime by making sure that an alternate firewall is available in the event
that a peer firewall fails. The firewalls in an HA pair use dedicated or in-band HA
ports on the firewall to synchronize data—network, object, and policy rule
configurations—and to maintain state information. Firewall-specific configuration such
as management interface IP address or administrator profiles, HA-specific configuration,
log data, and the Application Command Center (ACC) information isn’t shared between
peers. After you set up HA for your managed firewalls, you can use Strata Cloud Manager
for a consolidated application and log view across an HA pair.
HA Mode
You can set up your managed firewalls in an HA pair in an active/passive
configuration. In an active/passive HA configuration, one firewall actively manages
traffic while the other is synchronized and ready to transition to the active state
should a failover occur. In this mode, both firewalls share the same configuration
settings, and one actively manages traffic until a path, link, system, or network
failure occurs. When the active firewall fails, the passive firewall transitions to
the active state and takes over to enforce the same policy rules to maintain network
security. Active/passive HA is supported in Layer 2 and Layer 3 deployments.
Device Priority and Preemption
Managed firewalls in an Active/Pasive HA configuration can be assigned a
device priority to indicate a preference for which
firewall should assume the active role. If you need to use a specific firewall in
the HA pair for actively securing traffic, you must enable the preemptive behavior
on both the firewalls and assign a device priority value for each firewall. The HA
peer with the lower numerical value, and therefore higher priority, is designated as
active. The other HA peer is
passive.
By default, preemption is disabled on the firewalls and must be enabled on both
firewalls. When enabled, the preemptive behavior allows the firewall with the higher
priority (lower numerical value) to resume as active after it recovers from a
failure. When preemption occurs, the event generates a system log.
Failover
A failover is when a failure occurs on the active HA peer and the passive HA peer
takes over securing traffic. The metrics that the firewall monitors to detect and
trigger a failover are:
- Heartbeat Polling and Hello MessagesThe HA peers use hello messages and heartbeats to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is 1,000 milliseconds. A ping is sent every 1,000 milliseconds and if there are three consecutive heartbeat losses, a failover occurs.
- Link MonitoringYou can specify a group of physical interfaces that the firewall will monitor and the firewall monitors the state of each link in the group (link up or link down). You determine the failure condition for the link group: Any link down or All links down in the group constitutes a link group failure, but not necessarily a failover.You can create multiple link groups. Therefore, you also determine the failure condition of the set of link groups: Any link group fails or All link group fails, which determines when a failover is triggered. The default behavior is that failure of Any link in Any link group causes the firewall to change the HA state to non-functional to indicate the failure of a monitored object.
- Path MonitoringYou can specify a destination IP group of IP address that the firewall will monitor. The firewall monitors the full path through the network to mission-critical IP addresses using ICMP pings to verify reachability of the IP address. The default interval for pings is 200 ms. An IP address is considered unreachable when 10 consecutive pings (the default value) fail. You specify the failure condition for the IP addresses in a destination IP group: Any IP address unreachable or All IP addresses unreachable in the group. You can specify multiple destination IP groups for a path group for a virtual wire, VLAN, or logical router; you specify the failure condition of destination IP groups in a path group: Any or All, which constitutes a path group failure. You can configure multiple virtual wire path groups, VLAN path groups, and logical router path groups.You also determine the global failure condition: Any path group fails or All path groups fail, which determines when a failover is triggered. The default behavior is that Any one of the IP addresses becoming unreachable in Any destination IP group in Any VLAN or logical router path group causes the firewall to change the HA state to non-functional to indicate a failure of a monitored object.