Define HA Failover Conditions
Focus
Focus

Define HA Failover Conditions

Table of Contents
End-of-Life (EoL)

Define HA Failover Conditions

Configure HA link monitoring and path monitoring to determine HA failover to a peer.
Perform the following task to use link monitoring or path monitoring to define Failover conditions and thus establish what will cause a firewall in an HA pair to fail over, an event where the task of securing traffic passes from the previously active firewall to its HA peer. The HA Overview describes conditions that cause a failover.
You can monitor multiple IP path groups per virtual router, VLAN, or virtual wire. You can enable each path group with one or more IP addresses and give each its own peer failure conditions. Additionally, you can set these failure conditions at both the path-group level and the broader virtual router or VLAN or virtual wire group level using “any” or “all” fail checks to determine the status of the active firewall.
When you upgrade to PAN-OS 10.0, the firewall automatically transfers your currently monitored destination IP addresses to a newly created destination group and gives that group a default path-monitoring name. The new destination group retains your previous failover condition at the path-group level.
Ensure that you delete all VLAN path monitoring configurations in active/active HA before you upgrade to PAN-OS 11.0 because VLAN path monitoring is not compatible with active/active HA pairing in PAN-OS 10.0; retaining an earlier active/active HA configuration results in an autocommit failure.
Before you enable path monitoring, you must set up your virtual routers, VLAN, or virtual wires or a combination of these logical networking components. Path monitoring in virtual routers and virtual wires is compatible with both active/active and active/passive HA deployments; however, path monitoring in VLANs is supported only on active/passive pairs.
Before you enable path monitoring, you must also:
  • Check reachability for destination IP groups in your virtual routers.
  • Ensure that the VLANs (for which you intend to enable path monitoring) include configured interfaces.
  • Obtain the source IP address that you will use to receive pings from the appropriate destination IP address.
If you are using SNMPv3 to monitor the firewalls, note that the SNMPv3 Engine ID is synchronized between the HA pair. For information on setting up SNMP, see Forward Traps to an SNMP Manager. Because the EngineID is generated using the firewall serial number, on the VM-Series firewall you must apply a valid license in order to obtain a unique EngineID for each firewall.
  1. To configure HA link monitoring, specify a group of physical interfaces for the firewall to monitor (link up or link down).
    1. Select DeviceHigh AvailabilityLink and Path Monitoring.
    2. In the Link Monitoring section, Add a link group by Name.
    3. Select Enabled to enable the link group.
    4. Select the Failure Condition for the interfaces in the link group: Any (default) or All.
    5. Add the Interface(s) to monitor.
    6. Click OK.
  2. (Optional) Modify the failure condition for the set of Link Groups configured on the firewall.
    By default, the firewall triggers a failover when any monitored Link Group fails.
    1. Edit the Link Monitoring section.
    2. Set the Failure Condition to Any (default) or All.
    3. Click OK.
  3. To configure HA path monitoring for a virtual wire, VLAN, or virtual router (or logical router for an Advanced Routing Engine), specify the destination IP addresses that the firewall will ping to verify network connectivity.
    1. In the Path Monitoring section, select Add Virtual Wire Path, Add VLAN Path, or Add Virtual Router Path (or Add Logical Router Path for Advanced Routing Engine).
    2. Enter a Name for the virtual wire, VLAN, virtual router path group, or logical routero path group.
    3. (Virtual Wire Path or VLAN Path only) Enter the Source IP address to use to ping the destination IP address through the virtual wire or VLAN.
    4. Select Enabled to enable the path group.
    5. Select the Failure Condition that results in a failure for this path group: Any (default) to issue a failure when one or more Destination IP groups in this path group fail or All to issue a failure when all Destination IP groups in this path group fail.
    6. Enter the Ping Interval in milliseconds; the interval between ICMP messages sent to the Destination IP address (range is 200 to 60,000; default is 200).
    7. Enter the Ping Count of pings that must fail before declaring a failure (range is 3 to 10; default is 10).
    8. Add and enter a Destination IP Group name.
    9. Add one or more Destination IP addresses to ping.
    10. Select Enabled to enable path monitoring for the Destination IP group.
    11. Select the Failure Condition that results in a failure for this Destination IP group: Any (default) to issue a failure when one or more listed IP addresses is unreachable or All to issue a failure when all listed IP addresses are unreachable.
    12. Click OK twice.
    13. (Panorama only) Select the appropriate Panorama template to push the path monitoring configuration to your appliance.
      You can push HA path monitoring for a virtual wire, VLAN, or virtual router only to firewalls running PAN-OS 10.0 or a later releases. If you try to push the configuration to firewalls running a release earlier than PAN-OS 10.0 (such as 9.1.x or 9.0.x), the commit may fail or the commit may remove destination IP addresses from the path group.
      Only HA Path Groups containing one Destination IP Group are supported for managed firewalls running PAN-OS 9.1 and earlier releases.
      To manage the destination IP addresses from Panorama for managed firewalls running different PAN-OS releases, create a separate template for managed firewalls running PAN-OS 10.0 and later releases and a separate template for managed firewalls running PAN-OS 9.1 and earlier releases. This allows you to more accurately control the destination IP address configuration if you created multiple destination IP groups and ensures your managed firewall successfully fails over.
  4. (Optional) Modify the failure condition for the set of Path Groups configured on the firewall.
    By default, the firewall triggers a failover when any monitored Path Group fails.
    1. Edit the Path Monitoring section.
    2. Select Enabled to enable path monitoring on the appliance.
    3. Set the Failure Condition to Any (default) to issue a failure for this firewall when one or more monitored virtual routers, VLANs, or virtual wires is down. Select All to issue a failure for this firewall when all monitored virtual routers, VLANs, or virtual wires are down.
    4. Click OK.
  5. Commit.