Define HA Failover Conditions
Configure HA link monitoring and path monitoring to determine HA failover to a peer.
Perform the following task to use link monitoring or path monitoring to define Failover conditions and thus establish what will cause a firewall in an HA pair to fail over, an event where the task of securing traffic passes from the previously active firewall to its HA peer. The HA Overview describes conditions that cause a failover.
You can monitor multiple IP path groups per virtual router, VLAN, or virtual wire. You can enable each path group with one or more IP addresses and give each its own peer failure conditions. Additionally, you can set these failure conditions at both the path-group level and the broader virtual router or VLAN or virtual wire group level using “any” or “all” fail checks to determine the status of the active firewall.
When you upgrade to PAN-OS 10.0, the firewall automatically transfers your currently monitored destination IP addresses to a newly created destination group and gives that group a default path-monitoring name. The new destination group retains your previous failover condition at the path-group level.
Ensure that you delete all VLAN path monitoring configurations in active/active HA before you upgrade to PAN-OS 10.1 because VLAN path monitoring is not compatible with active/active HA pairing in PAN-OS 10.0; retaining an earlier active/active HA configuration results in an autocommit failure.
Before you enable path monitoring, you must set up your virtual routers, VLAN, or virtual wires or a combination of these logical networking components. Path monitoring in virtual routers and virtual wires is compatible with both active/active and active/passive HA deployments; however, path monitoring in VLANs is supported only on active/passive pairs.
Before you enable path monitoring, you must also:
- Check reachability for destination IP groups in your virtual routers.
- Ensure that the VLANs (for which you intend to enable path monitoring) include configured interfaces.
- Obtain the source IP address that you will use to receive pings from the appropriate destination IP address.
If you are using SNMPv3 to monitor the firewalls, note that the SNMPv3 Engine ID is unique to each firewall; the EngineID is not synchronized between the HA pair and, therefore, allows you to independently monitor each firewall in the HA pair. For information on setting up SNMP, see Forward Traps to an SNMP Manager. Because the EngineID is generated using the firewall serial number, on the VM-Series firewall you must apply a valid license in order to obtain a unique EngineID for each firewall.
- To configure HA link monitoring, specify a group of physical interfaces for the firewall to monitor (link up or link down).
- Select.DeviceHigh AvailabilityLink and Path Monitoring
- In the Link Monitoring section,Adda link group byName.
- SelectEnabledto enable the link group.
- Select theFailure Conditionfor the interfaces in the link group:Any(default) orAll.
- AddtheInterface(s) to monitor.
- (Optional) Modify the failure condition for the set of Link Groups configured on the firewall.By default, the firewall triggers a failover when any monitored Link Group fails.
- Edit theLink Monitoringsection.
- Set theFailure ConditiontoAny(default) orAll.
- To configure HA path monitoring for a virtual wire, VLAN, or virtual router, specify the destination IP addresses that the firewall will ping to verify network connectivity.
- In the Path Monitoring section, selectAdd Virtual Wire Path,Add VLAN Path, orAdd Virtual Router Path.
- Enter aNamefor the virtual wire, VLAN, or virtual router path group.
- (Virtual Wire Path or VLAN Path only) Enter theSource IPaddress to use to ping the destination IP address through the virtual wire or VLAN.
- SelectEnabledto enable the path group.
- Select theFailure Conditionthat results in a failure for this path group:Any(default) to issue a failure when one or more Destination IP groups in this path group fail orAllto issue a failure when all Destination IP groups in this path group fail.
- Enter thePing Intervalin milliseconds; the interval between ICMP messages sent to the Destination IP address (range is 200 to 60,000; default is 200).
- Enter thePing Countof pings that must fail before declaring a failure (range is 3 to 10; default is 10).
- Addand enter aDestination IP Groupname.
- Addone or moreDestination IPaddresses to ping.
- SelectEnabledto enable path monitoring for the Destination IP group.
- Select theFailure Conditionthat results in a failure for this Destination IP group:Any(default) to issue a failure when one or more listed IP addresses is unreachable orAllto issue a failure when all listed IP addresses are unreachable.
- (Panorama only) Select the appropriate Panorama template to push the path monitoring configuration to your appliance.You can push HA path monitoring for a virtual wire, VLAN, or virtual router only to firewalls running PAN-OS 10.1 or a later release. If you try to push the configuration to firewalls running a release earlier than PAN-OS 10.1 (such as 9.1.x or 9.0.x), the commit may fail or the commit may remove destination IP addresses from the path group.
- (Optional) Modify the failure condition for the set of Path Groups configured on the firewall.By default, the firewall triggers a failover when any monitored Path Group fails.
- Edit thePath Monitoringsection.
- SelectEnabledto enable path monitoring on the appliance.
- Set theFailure ConditiontoAny(default) to issue a failure for this firewall when one or more monitored virtual routers, VLANs, or virtual wires is down. SelectAllto issue a failure for this firewall when all monitored virtual routers, VLANs, or virtual wires are down.
Recommended For You
Recommended videos not found.