You can configure and monitor multiple IP
path groups (also known as destination IP groups) per virtual router, VLAN,
or virtual wire (vwire) in order to have greater granular control
over your high availability (HA) failovers. You can enable each destination
IP group with one or more IP addresses and give each its own failure
condition. Additionally, you can set these Failover conditions at
both the destination group level and the broader virtual router/VLAN/vwire
group level using “any” or “all” fail checks to determine the status
of the active firewall.
Before you enable path monitoring,
you must set up your virtual router, VLAN, virtual wire, or a combination
of these logical networking components. Path monitoring in virtual
routers and vwires is compatible with both active/active and active/passive
HA deployments; however, path monitoring in VLANs is supported only
on active/passive pairs.
Ensure that you delete all
VLAN path monitoring configurations in active/active HA before you
upgrade to PAN-OS 10.0 because VLAN path monitoring is not compatible
with active/active HA pairing in PAN-OS 10.0; retaining an earlier
active/active HA configuration will result in an autocommit failure.
To create a destination IP group,
Link and Path Monitoring
Add Virtual Wire Path
Add Virtual Router Path
Configure your Virtual Wire Path, VLAN Path, or Virtual
Router Path. When you are ready to create the destination group,
at the bottom of the window.
Configure your destination group by adding destination
IP addresses and setting the appropriate failure condition.
to confirm your destination
group settings. Then click
finalizing your Virtual Wire Path, VLAN Path, or Virtual Router
) Select the appropriate Panorama
template to push the path monitoring configuration to your appliance.
You can push HA path monitoring for a virtual wire,
VLAN, or virtual router only to firewalls running PAN-OS 10.0 or
a later release. If you try to push the configuration to firewalls
running a release earlier than PAN-OS 10.0 (such as 9.1.x or 9.0.x),
the commit may fail or the commit may remove destination IP addresses
from the path group.