Next-Generation Firewall
Define HA Failover Conditions
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Define HA Failover Conditions
Define the high availability (HA) failover conditions for active/passive HA
firewalls.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Define the link monitoring and path monitoring conditions for your active/passive HA
firewalls to define the failover conditions and establish what will cause a firewall
in an HA pair to fail over, an event where the task of securing traffic from the
previously active firewall to its HA peer. The HA Overview
describes the conditions that cause a failover.
You can monitor multiple IP path groups per logical router or VLAN. You can enable
each path group with one or more IP addresses and give each its own peer failure
conditions. Additionally, you can set these failure conditions at both the
path-group level and the broader logical router or VLAN group level using
Any or All fail checks to
determine the status of the active firewall.
Before you enable path monitoring and define the HA failover conditions, you must
also:
- Check reachability for destination IP groups in your logical routers.
- Ensure that VLANs (for which you intend to enable path monitoring) include configured interfaces.
- Obtain the source IP address that you’ll use to receive pings from the appropriate destination IP address.
- Log in to Strata Cloud Manager.
- Configure a Logical Router or Configure a VLAN to establish the Destination IP addresses you want to monitor.Before you enable path monitoring, you must set up your logical routers, VLAN, or a combination of these logical networking components.
- Select ManageNGFW and Prisma AccessOverview and select the Folder Configuration Scope that the HA peers are associated with.
- In the HA Devices section, edit the HA pair for which you want to define the HA failover conditions.
- Select the Failover Condition Settings.
- Configure the failover conditions settings for the Primary Device.
- Configure the Link Monitoring Failure Condition.
- Select the Failure Condition.
- All of Link Group (default)—Failover occurs when all Link Groups fail.
- Any of Link Group—Failover occurs when one or more Link Groups fail.
- Click +Link Group and select
Link Group Failure Condition for the
logical routers you want to monitor.
- All of Link Group (default)—Failure for a Link Group occurs when the firewall is unable to connect to all Destination IP addresses associated with the Link Group.
- Any of Link Group—Failure for a Link Group occurs when the firewall is unable to connect to any Destination IP addresses associated with the Link Group.
- Select the link groups to monitor.
- Select the Failure Condition.
- Configure the Path Monitor Failure Condition.
- Select the Failure Condition.
- All of Path Group (default)—Failover occurs when all Path Groups fail.
- Any of Path Group—Failover occurs when one or more Path Groups fail.
- Click +Path Group and select
Link Group Failure Condition for the
logical routers you want to monitor.
- All of Link Group (default)—Failure for a Path Group occurs when the firewall is unable to connect to all Destination IP addresses associated with the Path Group.
- Any of Link Group—Failure for a Path Group occurs when the firewall is unable to connect to any Destination IP addresses associated with the Path Group.
- Select the path groups to monitor.
- Select the Failure Condition.
- Configure the Link Monitoring Failure Condition and Path Monitoring Failure Condition for the Secondary Device.
- Save.
- Push Config to push your configuration changes.