Next-Generation Firewall
Define HA Failover Conditions (PAN-OS)
Table of Contents
Define HA Failover Conditions (PAN-OS)
Define the high availability (HA) failover conditions for active/passive HA
firewalls.
- To configure HA link monitoring, specify a group of physical interfaces for the firewall to monitor (link up or link down).
- Select .In the Link Monitoring section, Add a link group by Name.Select Enabled to enable the link group.Select the Failure Condition for the interfaces in the link group: Any (default) or All.Add the Interface(s) to monitor.Click OK.(Optional) Modify the failure condition for the set of Link Groups configured on the firewall.By default, the firewall triggers a failover when any monitored Link Group fails.
- Edit the Link Monitoring section.Set the Failure Condition to Any (default) or All.Click OK.To configure HA path monitoring for a virtual wire, VLAN, or virtual router (or logical router for an Advanced Routing Engine), specify the destination IP addresses that the firewall will ping to verify network connectivity.
- In the Path Monitoring section, select Add Virtual Wire Path, Add VLAN Path, or Add Virtual Router Path (or Add Logical Router Path for Advanced Routing Engine).Enter a Name for the virtual wire, VLAN, virtual router path group, or logical routero path group.(Virtual Wire Path or VLAN Path only) Enter the Source IP address to use to ping the destination IP address through the virtual wire or VLAN.Select Enabled to enable the path group.Select the Failure Condition that results in a failure for this path group: Any (default) to issue a failure when one or more Destination IP groups in this path group fail or All to issue a failure when all Destination IP groups in this path group fail.Enter the Ping Interval in milliseconds; the interval between ICMP messages sent to the Destination IP address (range is 200 to 60,000; default is 200).Enter the Ping Count of pings that must fail before declaring a failure (range is 3 to 10; default is 10).Add and enter a Destination IP Group name.Add one or more Destination IP addresses to ping.Select Enabled to enable path monitoring for the Destination IP group.Select the Failure Condition that results in a failure for this Destination IP group: Any (default) to issue a failure when one or more listed IP addresses is unreachable or All to issue a failure when all listed IP addresses are unreachable.Click OK twice.(Panorama only) Select the appropriate Panorama template to push the path monitoring configuration to your appliance.You can push HA path monitoring for a virtual wire, VLAN, or virtual router only to firewalls running PAN-OS 10.0 or a later releases. If you try to push the configuration to firewalls running a release earlier than PAN-OS 10.0 (such as 9.1.x or 9.0.x), the commit may fail or the commit may remove destination IP addresses from the path group.Only HA Path Groups containing one Destination IP Group are supported for managed firewalls running PAN-OS 9.1 and earlier releases.To manage the destination IP addresses from Panorama for managed firewalls running different PAN-OS releases, create a separate template for managed firewalls running PAN-OS 10.0 and later releases and a separate template for managed firewalls running PAN-OS 9.1 and earlier releases. This allows you to more accurately control the destination IP address configuration if you created multiple destination IP groups and ensures your managed firewall successfully fails over.(Optional) Modify the failure condition for the set of Path Groups configured on the firewall.By default, the firewall triggers a failover when any monitored Path Group fails.
- Edit the Path Monitoring section.Select Enabled to enable path monitoring on the appliance.Set the Failure Condition to Any (default) to issue a failure for this firewall when one or more monitored virtual routers, VLANs, or virtual wires is down. Select All to issue a failure for this firewall when all monitored virtual routers, VLANs, or virtual wires are down.Click OK.Commit.
