End-of-Life (EoL)

HA Additional Path Monitoring Groups

Learn about path monitoring in HA deployments.
You can configure and monitor multiple IP path groups (also known as destination IP groups) per virtual router, VLAN, or virtual wire (vwire) in order to have greater granular control over your high availability (HA) failovers. You can enable each destination IP group with one or more IP addresses and give each its own failure condition. Additionally, you can set these Failover conditions at both the destination group level and the broader virtual router/VLAN/vwire group level using “any” or “all” fail checks to determine the status of the active firewall.
Before you enable path monitoring, you must set up your virtual router, VLAN, virtual wire, or a combination of these logical networking components. Path monitoring in virtual routers and vwires is compatible with both active/active and active/passive HA deployments; however, path monitoring in VLANs is supported only on active/passive pairs.
Ensure that you delete all VLAN path monitoring configurations in active/active HA before you upgrade to PAN-OS 10.0 because VLAN path monitoring is not compatible with active/active HA pairing in PAN-OS 10.0; retaining an earlier active/active HA configuration will result in an autocommit failure.
  1. To create a destination IP group,
    High Availability
    Link and Path Monitoring
  2. Click on
    Add Virtual Wire Path
    Add VLAN Path
    , or
    Add Virtual Router Path
  3. Configure your Virtual Wire Path, VLAN Path, or Virtual Router Path. When you are ready to create the destination group, click
    at the bottom of the window.
  4. Configure your destination group by adding destination IP addresses and setting the appropriate failure condition.
  5. Click
    to confirm your destination group settings. Then click
    again after finalizing your Virtual Wire Path, VLAN Path, or Virtual Router Path settings.
  6. (
    Panorama only
    ) Select the appropriate Panorama template to push the path monitoring configuration to your appliance.
    You can push HA path monitoring for a virtual wire, VLAN, or virtual router only to firewalls running PAN-OS 10.0 or a later releases. If you try to push the configuration to firewalls running a release earlier than PAN-OS 10.0 (such as 9.1.x or 9.0.x), the commit may fail or the commit may remove destination IP addresses from the path group.
    Only HA Path Groups containing one Destination IP Group are supported for managed firewalls running PAN-OS 9.1 and earlier releases.
    To manage the destination IP addresses from Panorama for managed firewalls running different PAN-OS releases, create a separate template for managed firewalls running PAN-OS 10.0 and later releases and a separate template for managed firewalls running PAN-OS 9.1 and earlier releases. This allows you to more accurately control the destination IP address configuration if you created multiple destination IP groups and ensures your managed firewall successfully fails over.
  7. Commit
    your changes.

Recommended For You