>
    Define HA Failover Conditions
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. High Availability
    4. Set Up Active/Passive HA
    5. Define HA Failover Conditions
    Download PDF
    Next-Generation Firewall

    Define HA Failover Conditions

    Table of Contents

    Define HA Failover Conditions

    Configure HA link monitoring and path monitoring to determine HA failover to a peer.
    Where Can I Use This?What Do I Need?
    • NGFW
    For Strata Cloud Manager managed NGFWs:
    • Strata Cloud Manager Pro
    Perform the following task to use link monitoring or path monitoring to define Failover conditions and thus establish what will cause a firewall in an HA pair to fail over, an event where the task of securing traffic passes from the previously active firewall to its HA peer.
    You can monitor multiple IP path groups per virtual router, VLAN, or virtual wire. You can enable each path group with one or more IP addresses and give each its own peer failure conditions. Additionally, you can set these failure conditions at both the path-group level and the broader virtual router or VLAN or virtual wire group level using “any” or “all” fail checks to determine the status of the active firewall.
    When you upgrade to PAN-OS 10.0, the firewall automatically transfers your currently monitored destination IP addresses to a newly created destination group and gives that group a default path-monitoring name. The new destination group retains your previous failover condition at the path-group level.
    Ensure that you delete all VLAN path monitoring configurations in active/active HA before you upgrade to PAN-OS 11.1 because VLAN path monitoring is not compatible with active/active HA pairing in PAN-OS 10.0; retaining an earlier active/active HA configuration results in an autocommit failure.
    Before you enable path monitoring, you must set up your logical routers, virtual routers, VLAN, or virtual wires or a combination of these logical networking components. Path monitoring in virtual routers and virtual wires is compatible with both active/active and active/passive HA deployments; however, path monitoring in VLANs is supported only on active/passive pairs.
    Before you enable path monitoring, you must also:
    • Check reachability for destination IP groups in your virtual routers.
    • Ensure that the VLANs (for which you intend to enable path monitoring) include configured interfaces.
    • Obtain the source IP address that you will use to receive pings from the appropriate destination IP address.
    If you are using SNMPv3 to monitor the firewalls, note that the SNMPv3 Engine ID is synchronized between the HA pair. For information on setting up SNMP, see Forward Traps to an SNMP Manager. Because the EngineID is generated using the firewall serial number, on the VM-Series firewall you must apply a valid license in order to obtain a unique EngineID for each firewall.

    Define HA Failover Conditions (PAN-OS)

    Define the high availability (HA) failover conditions for active/passive HA firewalls.
    1. To configure HA link monitoring, specify a group of physical interfaces for the firewall to monitor (link up or link down).
      1. Select DeviceHigh AvailabilityLink and Path Monitoring.
      2. In the Link Monitoring section, Add a link group by Name.
      3. Select Enabled to enable the link group.
      4. Select the Failure Condition for the interfaces in the link group: Any (default) or All.
      5. Add the Interface(s) to monitor.
      6. Click OK.
    2. (Optional) Modify the failure condition for the set of Link Groups configured on the firewall.
      By default, the firewall triggers a failover when any monitored Link Group fails.
      1. Edit the Link Monitoring section.
      2. Set the Failure Condition to Any (default) or All.
      3. Click OK.
    3. To configure HA path monitoring for a virtual wire, VLAN, or virtual router (or logical router for an Advanced Routing Engine), specify the destination IP addresses that the firewall will ping to verify network connectivity.
      1. In the Path Monitoring section, select Add Virtual Wire Path, Add VLAN Path, or Add Virtual Router Path (or Add Logical Router Path for Advanced Routing Engine).
      2. Enter a Name for the virtual wire, VLAN, virtual router path group, or logical routero path group.
      3. (Virtual Wire Path or VLAN Path only) Enter the Source IP address to use to ping the destination IP address through the virtual wire or VLAN.
      4. Select Enabled to enable the path group.
      5. Select the Failure Condition that results in a failure for this path group: Any (default) to issue a failure when one or more Destination IP groups in this path group fail or All to issue a failure when all Destination IP groups in this path group fail.
      6. Enter the Ping Interval in milliseconds; the interval between ICMP messages sent to the Destination IP address (range is 200 to 60,000; default is 200).
      7. Enter the Ping Count of pings that must fail before declaring a failure (range is 3 to 10; default is 10).
      8. Add and enter a Destination IP Group name.
      9. Add one or more Destination IP addresses to ping.
      10. Select Enabled to enable path monitoring for the Destination IP group.
      11. Select the Failure Condition that results in a failure for this Destination IP group: Any (default) to issue a failure when one or more listed IP addresses is unreachable or All to issue a failure when all listed IP addresses are unreachable.
      12. Click OK twice.
      13. (Panorama only) Select the appropriate Panorama template to push the path monitoring configuration to your appliance.
        You can push HA path monitoring for a virtual wire, VLAN, or virtual router only to firewalls running PAN-OS 10.0 or a later releases. If you try to push the configuration to firewalls running a release earlier than PAN-OS 10.0 (such as 9.1.x or 9.0.x), the commit may fail or the commit may remove destination IP addresses from the path group.
        Only HA Path Groups containing one Destination IP Group are supported for managed firewalls running PAN-OS 9.1 and earlier releases.
        To manage the destination IP addresses from Panorama for managed firewalls running different PAN-OS releases, create a separate template for managed firewalls running PAN-OS 10.0 and later releases and a separate template for managed firewalls running PAN-OS 9.1 and earlier releases. This allows you to more accurately control the destination IP address configuration if you created multiple destination IP groups and ensures your managed firewall successfully fails over.
    4. (Optional) Modify the failure condition for the set of Path Groups configured on the firewall.
      By default, the firewall triggers a failover when any monitored Path Group fails.
      1. Edit the Path Monitoring section.
      2. Select Enabled to enable path monitoring on the appliance.
      3. Set the Failure Condition to Any (default) to issue a failure for this firewall when one or more monitored virtual routers, VLANs, or virtual wires is down. Select All to issue a failure for this firewall when all monitored virtual routers, VLANs, or virtual wires are down.
      4. Click OK.
    5. Commit.

    Define HA Failover Conditions (SCM)

    Define the high availability (HA) failover conditions for active/passive HA firewalls.
    1. Log in to Strata Cloud Manager.
    2. Configure a Logical Router or Configure a VLAN to establish the Destination IP addresses you want to monitor.
      Before you enable path monitoring, you must set up your logical routers, VLAN, or a combination of these logical networking components.
    3. Configure Active/Passive HA.
    4. Select ManageConfigurationNGFW and Prisma AccessOverview and select the Folder Configuration Scope that the HA peers are associated with.
    5. In the HA Devices section, edit the HA pair for which you want to define the HA failover conditions.
    6. Select the Failover Condition Settings.
    7. Configure the failover conditions settings for the Primary Device.
      1. Configure the Link Monitoring Failure Condition.
        1. Select the Failure Condition.
          • All of Link Group (default)—Failover occurs when all Link Groups fail.
          • Any of Link Group—Failover occurs when one or more Link Groups fail.
        2. Click +Link Group and select Link Group Failure Condition for the logical routers you want to monitor.
          • All of Link Group (default)—Failure for a Link Group occurs when the firewall is unable to connect to all Destination IP addresses associated with the Link Group.
          • Any of Link Group—Failure for a Link Group occurs when the firewall is unable to connect to any Destination IP addresses associated with the Link Group.
        3. Select the link groups to monitor.
      2. Configure the Path Monitor Failure Condition.
        1. Select the Failure Condition.
          • All of Path Group (default)—Failover occurs when all Path Groups fail.
          • Any of Path Group—Failover occurs when one or more Path Groups fail.
        2. Click +Path Group and select Link Group Failure Condition for the logical routers you want to monitor.
          • All of Link Group (default)—Failure for a Path Group occurs when the firewall is unable to connect to all Destination IP addresses associated with the Path Group.
          • Any of Link Group—Failure for a Path Group occurs when the firewall is unable to connect to any Destination IP addresses associated with the Path Group.
        3. Select the path groups to monitor.
    8. Configure the Link Monitoring Failure Condition and Path Monitoring Failure Condition for the Secondary Device.
    9. Save.
    10. Push Config to push your configuration changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.