Configure Active/Passive HA
Focus
Focus
Next-Generation Firewall

Configure Active/Passive HA

Table of Contents

Configure Active/Passive HA

Configure your firewalls in an active/passive high availability (HA) configuration from Strata Cloud Manager.
Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Strata Cloud Manager)
  • VM-Series, funded with Software NGFW Credits
  • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
To configure managed firewalls in an active/passive high availability (HA) configuration, they must meet the following prerequisites:
  • The same model—Both firewalls in the pair must be of the same hardware model.
  • The same PAN-OS version—Both firewalls must be running the same PAN-OS version and must each be up to date on the application, URL, and threat databases.
  • Multi Virtual System Capability—Both firewalls must have the multi-vsys capability disabled.
  • The same set of licenses—Licenses are unique to each firewall and can’t be shared between the firewalls. Therefore, you must license both firewalls identically. If both firewalls don’t have an identical set of licenses, they can’t synchronize configuration information and maintain parity for failover.
  • The same type of interfaces—Dedicated HA links or a combination of the management port and in-band ports.
    • Strata Cloud Manager supports IPv4 addresses only.
    • Determine the IP address for the HA1 (control) connection between the HA peers. The HA1 IP address for both peers must be on the same subnet if they’re directly connected or are connected to the same switch.
      For firewalls without dedicated HA ports, you can use the management port for the control connection. Using the management port provides a direct communication link between the management planes on both firewalls. However, because the management ports won’t be directly cabled between the peers, make sure that you have a route that connects these two interfaces across your network.
    • If you use Layer 3 as the transport method for the HA2 (data) connection, determine the IP address for the HA2 link. Use Layer 3 only if the HA2 connection must communicate over a routed network. The IP subnet for the HA2 links must not overlap with IP subnets of HA1 links or with any other subnet assigned to the data ports on the firewall.
  • The same folder—Both firewalls in the HA pair must be added to the same folder.
    Firewalls in an HA pair cannot be moved to a new folder. To move them, you must first break the HA configuration, move both firewalls to the new folder, and then reconfigure HA
This procedure assumes you already onboarded the firewalls you want to configure in an active/passive HA configuration to Strata Cloud Manager and have added them the same folder.
  1. Log in to Strata Cloud Manager.
  2. Configure your HA Ethernet interfaces if you intend to use dedicated interfaces for the HA1 control links and HA2 data links.
  3. Select ManageOverview and select the Folder Configuration Scope that the managed firewalls are associated with.
    Selecting the folder that the managed firewalls are associated with allows you to find and select the managed firewalls you want to configure in an active/passive HA configuration.
  4. In the HA Devices section, Create HA.
  5. Select the managed firewalls to configure in an active/passive HA configuration.
    • Select Primary Device—Select the firewall to act as the primary active HA peer.
    • Select Secondary Device—Select the firewall to act as the secondary passive HA peer.
    Click Next to continue.
  6. Configure the HA1 Control Link Settings.
    The HA1 control link is used to exchange hellos, heartbeats, HA state information, and management plane synchronization for routing. This link is also used to synchronize configuration changes with its peer.
    1. Configure the HA1 control link settings for the Primary Device.
      1. Select the Ethernet Port for the HA1 control link on the primary HA peer.
      2. Configure the IPv4 Address, Netmask, and Gateway of the HA1 control link for the primary HA peer.
      3. (Optional) Expand the Advanced Settings and enter the Monitor Hold Time (ms) that the firewall waits before declaring a peer failure due to a control link failure. Range is 1,000 to 60,000; default is 3,000.
    2. Configure the HA1 control link settings for the Secondary Device.
      1. Select the Ethernet Port for the HA1 control link on the secondary HA peer.
      2. Configure the IPv4 Address, Netmask, and Gateway of the HA1 control link for the secondary HA peer.
    3. (Optional) Configure the HA1 Backup control link for both the Primary Device and Secondary Device.
      Configuring the HA1 Backup control link provides redundancy for the HA1 link. Consider the following guidelines when configuring back HA links.
      • The IP addresses of the primary and backup HA links must not overlap each other.
      • HA backup links must be on a different subnet from the primary HA links.
      • HA1-backup and HA2-backup ports must be configured on separate physical ports. The HA1-backup link uses port 28770 and 28260.
    4. Click Next.
  7. Configure the HA2 Data Link Settings.
    The HA2 data link is used to synchronize sessions, forwarding tables, IPSec security associations, and ARP tables. Data flow on the HA2 link is always unidirectional except for the HA2 keep alive. It flows from the active or active-primary HA peer to the secondary or secondary-active HA peer. The HA2 link is a Layer 2 link.
    1. Configure the HA2 data link settings for the Primary Device.
      1. Select the Ethernet Port for the HA2 data link on the primary HA peer.
      2. Configure the IPv4 Address, Netmask, and Gateway of the HA2 data link for the primary HA peer.
      3. (Optional) Expand the Advanced Settings and verify that Enable Session Synchronization is enabled.
        Enable session synchronization so that the secondary device has the session in its dataplane, which allows the firewall to match packets to the synchronized session and quickly forward packets. If you don’t enable session synchronization, the firewall must create the session again, which introduces latency and could drop connections.
        1. Select the Transport method.
          • Layer2 transport via Ethernet—Use when the firewalls are connected back-to-back or through a switch (EtherType 0x7261).
          • Layer3 transport via IP protocol 99—Use when Layer 3 transport is required (IP protocol number 99).
          • Layer4 transport via UDP/29281—Use to take advantage of the fact that the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281). The benefit of using UDP mode is the presence of the UDP checksum to verify the integrity of a session sync message.
        2. (Best Practices) Enable and configure HA2 Keep-alive to monitor the health of the HA2 data link between the HA peers.
          1. Specify the Keep-alive Action as Log Only.
            Logs the failure of the HA2 interface in the system log as a critical event. Select this option for active/passive deployments because the active peer is the only firewall forwarding traffic. The passive peer is in a backup state and isn’t forwarding traffic; therefore a split datapath isn’t required. If you haven’t configured any HA2 Backup links, state synchronization will be turned off. If the HA2 path recovers, an informational log will be generated.
          2. Configure the Keep-alive Threshold (ms) to specify the duration in which keep-alive messages have failed before the Keep-alive Action is triggered. Range is 5,000 to 60,000; default is 10,000.
    2. Configure the HA2 data link settings for the Secondary Device.
      1. Select the Ethernet Port for the HA2 data link on the secondary HA peer.
      2. Configure the IPv4 Address, Netmask, and Gateway of the HA2 data link for the secondary HA peer.
    3. (Optional) Configure the HA2 Backup data link for both the Primary Device and Secondary Device.
      When an HA2 backup link is configured, failover to the backup link will occur if there’s a physical link failure. With the HA2 keep-alive option enabled, the failover will also occur if the HA keep-alive messages fail based on the defined threshold.
    4. Click Next.
  8. Push Config to push your configuration changes.