Define HA Failover Conditions
Focus
Focus

Define HA Failover Conditions

Table of Contents

Define HA Failover Conditions

Configure HA link monitoring and path monitoring to determine HA failover to a peer.
Perform the following task to use link monitoring or path monitoring to define Failover conditions and thus establish what will cause a firewall in an HA pair to fail over, an event where the task of securing traffic passes from the previously active firewall to its HA peer. The HA Overview describes conditions that cause a failover.
You can monitor multiple IP path groups per virtual router, VLAN, or virtual wire. You can enable each path group with one or more IP addresses and give each its own peer failure conditions. Additionally, you can set these failure conditions at both the path-group level and the broader virtual router or VLAN or virtual wire group level using “any” or “all” fail checks to determine the status of the active firewall.
When you upgrade to PAN-OS 10.0, the firewall automatically transfers your currently monitored destination IP addresses to a newly created destination group and gives that group a default path-monitoring name. The new destination group retains your previous failover condition at the path-group level.
Ensure that you delete all VLAN path monitoring configurations in active/active HA before you upgrade to PAN-OS 10.2 because VLAN path monitoring is not compatible with active/active HA pairing in PAN-OS 10.0; retaining an earlier active/active HA configuration results in an autocommit failure.
Before you enable path monitoring, you must set up your virtual routers, VLAN, or virtual wires or a combination of these logical networking components. Path monitoring in virtual routers and virtual wires is compatible with both active/active and active/passive HA deployments; however, path monitoring in VLANs is supported only on active/passive pairs.
Before you enable path monitoring, you must also:
  • Check reachability for destination IP groups in your virtual routers.
  • Ensure that the VLANs (for which you intend to enable path monitoring) include configured interfaces.
  • Obtain the source IP address that you will use to receive pings from the appropriate destination IP address.
If you are using SNMPv3 to monitor the firewalls, note that the SNMPv3 Engine ID is synchronized between the HA pair. For information on setting up SNMP, see Forward Traps to an SNMP Manager. Because the EngineID is generated using the firewall serial number, on the VM-Series firewall you must apply a valid license in order to obtain a unique EngineID for each firewall.
  1. To configure HA link monitoring, specify a group of physical interfaces for the firewall to monitor (link up or link down).
    1. Select
      Device
      High Availability
      Link and Path Monitoring
      .
    2. In the Link Monitoring section,
      Add
      a link group by
      Name
      .
    3. Select
      Enabled
      to enable the link group.
    4. Select the
      Failure Condition
      for the interfaces in the link group:
      Any
      (default) or
      All
      .
    5. Add
      the
      Interface
      (s) to monitor.
    6. Click
      OK
      .
  2. (
    Optional
    ) Modify the failure condition for the set of Link Groups configured on the firewall.
    By default, the firewall triggers a failover when any monitored Link Group fails.
    1. Edit the
      Link Monitoring
      section.
    2. Set the
      Failure Condition
      to
      Any
      (default) or
      All
      .
    3. Click
      OK
      .
  3. To configure HA path monitoring for a virtual wire, VLAN, or virtual router (or logical router for an Advanced Routing Engine), specify the destination IP addresses that the firewall will ping to verify network connectivity.
    1. In the Path Monitoring section, select
      Add Virtual Wire Path
      ,
      Add VLAN Path
      , or
      Add Virtual Router Path
      (or
      Add Logical Router Path
      for Advanced Routing Engine).
    2. Enter a
      Name
      for the virtual wire, VLAN, virtual router path group, or logical routero path group.
    3. (
      Virtual Wire Path or VLAN Path only
      ) Enter the
      Source IP
      address to use to ping the destination IP address through the virtual wire or VLAN.
    4. Select
      Enabled
      to enable the path group.
    5. Select the
      Failure Condition
      that results in a failure for this path group:
      Any
      (default) to issue a failure when one or more Destination IP groups in this path group fail or
      All
      to issue a failure when all Destination IP groups in this path group fail.
    6. Enter the
      Ping Interval
      in milliseconds; the interval between ICMP messages sent to the Destination IP address (range is 200 to 60,000; default is 200).
    7. Enter the
      Ping Count
      of pings that must fail before declaring a failure (range is 3 to 10; default is 10).
    8. Add
      and enter a
      Destination IP Group
      name.
    9. Add
      one or more
      Destination IP
      addresses to ping.
    10. Select
      Enabled
      to enable path monitoring for the Destination IP group.
    11. Select the
      Failure Condition
      that results in a failure for this Destination IP group:
      Any
      (default) to issue a failure when one or more listed IP addresses is unreachable or
      All
      to issue a failure when all listed IP addresses are unreachable.
    12. Click
      OK
      twice.
    13. (
      Panorama only
      ) Select the appropriate Panorama template to push the path monitoring configuration to your appliance.
      You can push HA path monitoring for a virtual wire, VLAN, or virtual router only to firewalls running PAN-OS 10.0 or a later releases. If you try to push the configuration to firewalls running a release earlier than PAN-OS 10.0 (such as 9.1.x or 9.0.x), the commit may fail or the commit may remove destination IP addresses from the path group.
      Only HA Path Groups containing one Destination IP Group are supported for managed firewalls running PAN-OS 9.1 and earlier releases.
      To manage the destination IP addresses from Panorama for managed firewalls running different PAN-OS releases, create a separate template for managed firewalls running PAN-OS 10.0 and later releases and a separate template for managed firewalls running PAN-OS 9.1 and earlier releases. This allows you to more accurately control the destination IP address configuration if you created multiple destination IP groups and ensures your managed firewall successfully fails over.
  4. (
    Optional
    ) Modify the failure condition for the set of Path Groups configured on the firewall.
    By default, the firewall triggers a failover when any monitored Path Group fails.
    1. Edit the
      Path Monitoring
      section.
    2. Select
      Enabled
      to enable path monitoring on the appliance.
    3. Set the
      Failure Condition
      to
      Any
      (default) to issue a failure for this firewall when one or more monitored virtual routers, VLANs, or virtual wires is down. Select
      All
      to issue a failure for this firewall when all monitored virtual routers, VLANs, or virtual wires are down.
    4. Click
      OK
      .
  5. Commit
    .

Recommended For You