High availability (HA) timers facilitate a firewall
to detect a firewall failure and trigger a failover. To reduce the
complexity in configuring HA timers, you can select from three profiles: Recommended, Aggressive and Advanced.
These profiles auto-populate the optimum HA timer values for the
specific firewall platform to enable a speedier HA deployment.
Use the Recommended profile for typical
failover timer settings and the Aggressive profile
for faster failover timer settings. The Advanced profile
allows you to customize the timer values to suit your network requirements.
The following table describes each timer included in the profiles
and the current preset values (Recommended/Aggressive) across the
different hardware models; these values are for current reference
only and can change in a subsequent release.
Timers
Description
PA-7000 Series
PA-5200 Series
PA-3200 Series
PA-800 Series
PA-220
VM-Series
Panorama Virtual Appliance
Panorama M-Series
Monitor Fail Hold Up Time (ms)
Interval during which the firewall will remain
active following a path monitor or link monitor failure. This setting
is recommended to avoid an HA failover due to the occasional flapping
of neighboring devices.
0/0
0/0
0/0
Preemption Hold Time (min)
Time that a passive or active-secondary firewall
will wait before taking over as the active or active-primary firewall.
1/1
1/1
1/1
Heartbeat Interval (ms)
Frequency at which the HA peers exchange
heartbeat messages in the form of an ICMP (ping).
1000/1000
2000/1000
2000/1000
Promotion Hold Time (ms)
Time that the passive firewall (in active/passive
mode) or the active-secondary firewall (in active/active mode) will
wait before taking over as the active or active-primary firewall
after communications with the HA peer have been lost. This hold
time will begin only after the peer failure declaration has been
made.
2000/500
2000/500
2000/500
Additional Master Hold Up Time (ms)
Time interval that is applied to the same event
as Monitor Fail Hold Up Time (range 0-60000 ms, default 500 ms).
The additional time interval is applied only to the active firewall
in active/passive mode and to the active-primary firewall in active/active
mode. This timer is recommended to avoid a failover when both firewalls
experience the same link/path monitor failure simultaneously.
500/500
500/500
7000/5000
Hello Interval (ms)
Interval in milliseconds between hello packets
that are sent to verify that the HA functionality on the other firewall
is operational. The range is 8000-60000 ms with a default of 8000
ms for all platforms.
8000/8000
8000/8000
8000/8000
Maximum No. of Flaps
A flap is counted when one of the following
occurs:
A preemption-enabled firewall leaves the active
state within 20 minutes after becoming active.
A link or path fails to stay up for 10 minutes after becoming
functional.
In the case of a failed preemption or non-functional
loop, this value indicates the maximum number of flaps that are
permitted before the firewall is suspended (range 0-16; default
3).