Configure Active/Active HA
Focus
Focus

Configure Active/Active HA

Table of Contents

Configure Active/Active HA

The following procedure describes the basic workflow for configuring your firewalls in an active/active configuration. However, before you begin, Determine Your Active/Active Use Case for configuration examples more tailored to your specific network environment.
You can configure data ports as both dedicated HA interfaces and as dedicated backup HA interfaces. For firewalls without dedicated HA interfaces, such as the PA-200 and PA-220R, it is required to configure a data port as a HA interface.
Data ports configured as HA1, HA2, or HA3 interfaces can be connected directly to each HA interface on the firewall or connected through a Layer2 switch. For data ports configured as an HA3 interface, you must enable jumbo frames as HA3 messages exceed 1,500 bytes.
To configure active/active, first complete the following steps on one peer and then complete them on the second peer, ensuring that you set the Device ID to different values (0 or 1) on each peer.
  1. Connect the HA ports to set up a physical connection between the firewalls.
    For each use case, the firewalls could be any hardware model; choose the HA3 step that corresponds with your model.
    • For firewalls with dedicated HA ports, use an Ethernet cable to connect the dedicated HA1 ports and the HA2 ports on peers. Use a crossover cable if the peers are directly connected to each other.
    • For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and the backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across both firewalls. Use the management port for the HA1 link and ensure that the management ports can connect to each other across your network.
    • For HA3:
      • On PA-7000 Series firewalls, connect the High Speed Chassis Interconnect (HSCI-A) on the first chassis to the HSCI-A on the second chassis, and the HSCI-B on the first chassis to the HSCI-B on the second chassis.
      • On the PA-5450 firewall, connect the HSCI-A on the first chassis to the HSCI-A on the second chassis, and the HSCI-B on the first chassis to the HSCI-B on the second chassis.
      • On the PA-5400 Series firewalls (which have one HSCI port), connect the HSCI port on the first chassis to the HSCI port on the second chassis.
      • On PA-5200 Series firewalls (which have one HSCI port), connect the HSCI port on the first chassis to the HSCI port on the second chassis. You can also use data ports for HA3 on PA-5200 Series firewalls.
      • On PA-3400 Series firewalls (which have one HSCI port), connect the HSCI port on the first chassis to the HSCI port on the second chassis.
      • On PA-3200 Series firewalls (which have one HSCI port), connect the HSCI port on the first chassis to the HSCI port on the second chassis.
      • On any other hardware model, use dataplane interfaces for HA3.
  2. Enable ping on the management port.
    Enabling ping allows the management port to exchange heartbeat backup information.
    1. Select
      Device
      Setup
      Interfaces
      Management
      .
    2. Select
      Ping
      as a service that is permitted on the interface.
  3. If the firewall does not have dedicated HA ports, set up the data ports to function as HA ports.
    For firewalls with dedicated HA ports continue to the next step.
    1. Select
      Network
      Interfaces
      .
    2. Confirm that the link is up on the ports that you want to use.
    3. Select the interface and set
      Interface Type
      to
      HA
      .
    4. Set the
      Link Speed
      and
      Link Duplex
      settings, as appropriate.
  4. Enable active/active HA and set the group ID.
    1. In
      Device
      High Availability
      General
      , edit Setup.
    2. Select
      Enable HA
      .
    3. Enter a
      Group ID
      , which must be the same for both firewalls. The firewall uses the Group ID to calculate the virtual MAC address (range is 1-63).
    4. (
      Optional
      ) Enter a
      Description
      .
    5. For
      Mode
      , select
      Active Active
      .
  5. Set the Device ID, enable synchronization, and identify the control link on the peer firewall
    1. In
      Device
      High Availability
      General
      , edit Setup.
    2. Select
      Device ID
      as follows:
      • When configuring the first peer, set the
        Device ID
        to
        0
        .
      • When configuring the second peer, set the
        Device ID
        to
        1
        .
    3. Select
      Enable Config Sync
      . This setting is required to synchronize the two firewall configurations (enabled by default).
    4. Enter the
      Peer HA1 IP Address
      , which is the IP address of the HA1 control link on the peer firewall.
    5. (
      Optional
      ) Enter a
      Backup Peer HA1 IP Address
      , which is the IP address of the backup control link on the peer firewall.
    6. Click
      OK
      .
  6. Determine whether or not the firewall with the lower Device ID preempts the active-primary firewall upon recovery from a failure.
    1. In
      Device
      High Availability
      General
      , edit Election Settings.
    2. Select
      Preemptive
      to cause the firewall with the lower Device ID to automatically resume active-primary operation after either firewall recovers from a failure. Both firewalls must have
      Preemptive
      selected for preemption to occur.
      Leave
      Preemptive
      unselected if you want the active-primary role to remain with the current firewall until you manually make the recovered firewall the active-primary firewall.
  7. Enable heartbeat backup if your control link uses a dedicated HA port or an in-band port.
    You need not enable heartbeat backup if you are using the management port for the control link.
    1. In
      Device
      High Availability
      General
      , edit Election Settings.
    2. Select
      Heartbeat Backup
      .
      To allow the heartbeats to be transmitted between the firewalls, you must verify that the management port across both peers can route to each other.
      Enabling heartbeat backup allows you to prevent a split-brain situation. Split brain occurs when the HA1 link goes down, causing the firewall to miss heartbeats, although the firewall is still functioning. In such a situation, each peer believes the other is down and attempts to start services that are running, thereby causing a split brain. Enabling heartbeat backup prevents split brain because redundant heartbeats and hello messages are transmitted over the management port.
  8. (
    Optional
    ) Modify the HA Timers.
    By default, the HA timer profile is set to the
    Recommended
    profile and is suited for most HA deployments.
    1. In
      Device
      High Availability
      General
      , edit Election Settings.
    2. Select
      Aggressive
      to trigger faster failover. Select
      Advanced
      to define custom values for triggering failover in your setup.
      To view the preset value for an individual timer included in a profile, select
      Advanced
      and click
      Load Recommended
      or
      Load Aggressive
      . The preset values for your hardware model will be displayed on screen.
  9. Set up the control link connection.
    This example uses an in-band port that is set to interface type HA.
    For firewalls that use the management port as the control link, the IP address information is automatically pre-populated.
    1. In
      Device
      High Availability
      HA Communications
      , edit Control Link (HA1).
    2. Select the
      Port
      that you have cabled for use as the HA1 link.
    3. Set the
      IPv4/IPv6 Address
      and
      Netmask
      .
      If the HA1 interfaces are on separate subnets, enter the IP address of the
      Gateway
      . Do not add a gateway address if the firewalls are directly connected.
  10. (
    Optional
    ) Enable encryption for the control link connection.
    This is typically used to secure the link if the two firewalls are not directly connected, that is if the ports are connected to a switch or a router.
    1. Export the HA key from one firewall and import it into the peer firewall.
      1. Select
        Device
        Certificate Management
        Certificates
        .
      2. Select
        Export HA key
        . Save the HA key to a network location that the peer can access.
      3. On the peer firewall, select
        Device
        Certificate Management
        Certificates
        , and select
        Import HA key
        to browse to the location that you saved the key and import it in to the peer.
    2. In
      Device
      High Availability
      General
      , edit the Control Link (HA1).
    3. Select
      Encryption Enabled
      .
      If you enable encryption, after you finish configuring the HA firewalls, you can Refresh HA1 SSH Keys and Configure Key Options.
  11. Set up the backup control link connection.
    1. In
      Device
      High Availability
      HA Communications
      , edit Control Link (HA1 Backup).
    2. Select the HA1 backup interface and set the
      IPv4/IPv6 Address
      and
      Netmask
      .
      PA-3200 Series firewalls don’t support an IPv6 address for the HA1 backup control link; use an IPv4 address.
  12. Set up the data link connection (HA2) and the backup HA2 connection between the firewalls.
    1. In
      Device
      High Availability
      General
      , edit Data Link (HA2).
    2. Select the
      Port
      to use for the data link connection.
    3. Select the
      Transport
      method. The default is
      ethernet
      , and will work when the HA pair is connected directly or through a switch. If you need to route the data link traffic through the network, select
      IP
      or
      UDP
      as the transport mode.
    4. If you use IP or UDP as the transport method, enter the
      IPv4/IPv6 Address
      and
      Netmask
      .
    5. Verify that
      Enable Session Synchronization
      is selected.
    6. Select
      HA2 Keep-alive
      to enable monitoring on the HA2 data link between the HA peers. If a failure occurs based on the threshold that is set (default is 10000 ms), the defined action will occur. When an HA2 Keep-alive failure occurs, the system either generates a critical system log message or causes a split dataplane depending on your configuration.
      You can configure the HA2 Keep-alive option on both firewalls, or just one firewall in the HA pair. If the option is only enabled on one firewall, only that firewall sends the Keep-alive messages. The other firewall is notified if a failure occurs.
      A split dataplane causes the dataplanes of both peers to operate independently while leaving the high-available state as Active-Primary and Active-Secondary. If only one firewall is configured to split dataplane, then split dataplane applies to the other device as well.
    7. Edit the
      Data Link (HA2 Backup)
      section, select the interface, and add the
      IPv4/IPv6 Address
      and
      Netmask
      .
    8. Click
      OK
      .
  13. Configure the HA3 link for packet forwarding.
    1. In
      Device
      High Availability
      Active/Active Config
      , edit Packet Forwarding.
    2. For
      HA3 Interface
      , select the interface you want to use to forward packets between active/active HA peers. It must be a dedicated interface capable of Layer 2 transport and set to
      Interface Type HA
      .
    3. Select
      VR Sync
      to force synchronization of all virtual routers configured on the HA peers. Select when the virtual router is not configured for dynamic routing protocols. Both peers must be connected to the same next-hop router through a switched network and must use static routing only.
    4. Select
      QoS Sync
      to synchronize the QoS profile selection on all physical interfaces. Select when both peers have similar link speeds and require the same QoS profiles on all physical interfaces. This setting affects the synchronization of QoS settings on the
      Network
      tab. QoS policy is synchronized regardless of this setting.
  14. (
    Optional
    ) Modify the Tentative Hold time.
    1. In
      Device
      High Availability
      Active/Active Config
      , edit Packet Forwarding.
    2. For
      Tentative Hold Time (sec)
      , enter the number of seconds that a firewall stays in Tentative state after it recovers post-failure (range is 10-600, default is 60).
    1. In
      Device
      High Availability
      Active/Active Config
      , edit Packet Forwarding.
    2. For
      Session Owner Selection
      , select one of the following:
      • First Packet
        —The firewall that receives the first packet of a new session is the session owner (recommended setting). This setting minimizes traffic across HA3 and load shares traffic across peers.
      • Primary Device
        —The firewall that is in active-primary state is the session owner.
    3. For
      Session Setup
      , select one of the following:
      • IP Modulo
        —The firewall performs an XOR operation on the source and destination IP addresses from the packet and based on the result, the firewall chooses which HA peer will set up the session.
      • Primary Device
        —The active-primary firewall sets up all sessions.
      • First Packet
        —The firewall that receives the first packet of a new session performs session setup (recommended setting).
        Start with First Packet for Session Owner and Session Setup, and then based on load distribution, you can change to one of the other options.
      • IP Hash
        —The firewall uses a hash of either the source IP address or a combination of the source and destination IP addresses to distribute session setup responsibilities.
    4. Click
      OK
      .
  15. Configure an HA virtual address.
    You need a virtual address to use a Floating IP Address and Virtual MAC Address or ARP Load-Sharing.
    1. In
      Device
      High Availability
      Active/Active Config
      ,
      Add
      a Virtual Address.
    2. Enter or select an
      Interface
      .
    3. Select the
      IPv4
      or
      IPv6
      tab and click
      Add
      .
    4. Enter an
      IPv4 Address
      or
      IPv6 Address
      .
    5. For
      Type
      :
      • Select
        Floating
        to configure the virtual IP address to be a floating IP address.
      • Select
        ARP Load Sharing
        to configure the virtual IP address to be a shared IP address and skip to Configure ARP Load-Sharing.
  16. Configure the floating IP address.
    1. Do not select
      Floating IP bound to the Active-Primary device
      unless you want the active/active HA pair to behave like an active/passive HA pair.
    2. For
      Device 0 Priority
      and
      Device 1 Priority
      , enter a priority for the firewall configured with Device ID 0 and Device ID 1, respectively. The relative priorities determine which peer owns the floating IP address you just configured (range is 0-255). The firewall with the lowest priority value (highest priority) owns the floating IP address.
    3. Select
      Failover address if link state is down
      to cause the firewall to use the failover address when the link state on the interface is down.
    4. Click
      OK
      .
  17. Configure ARP Load-Sharing.
    The device selection algorithm determines which HA firewall responds to the ARP requests to provide load sharing.
    1. For
      Device Selection Algorithm
      , select one of the following:
      • IP Modulo
        —The firewall that will respond to ARP requests is based on the parity of the ARP requester's IP address.
      • IP Hash
        —The firewall that will respond to ARP requests is based on a hash of the ARP requester's IP address.
    2. Click
      OK
      .
  18. Commit
    the configuration.

Recommended For You