High availability (HA) timers facilitate a firewall to detect a firewall failure and trigger a failover. To reduce the complexity in configuring HA timers, you can select from three profiles:
Advanced. These profiles auto-populate the optimum HA timer values for the specific firewall platform to enable a speedier HA deployment.
Recommendedprofile for typical failover timer settings and the
Aggressiveprofile for faster failover timer settings. The
Advancedprofile allows you to customize the timer values to suit your network requirements.
The following table describes each timer included in the profiles and the current preset values across the different hardware models; these values are for current reference only and can change in a subsequent release.
Panorama Virtual Appliance
Monitor fail hold up time
Interval during which the firewall will remain active following a path monitor or link monitor failure. This setting is recommended to avoid an HA failover due to the occasional flapping of neighboring devices.
Preemption hold time
Time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall.
Frequency at which the HA peers exchange heartbeat messages in the form of an ICMP (ping).
Promotion hold time
Time that the passive firewall (in active/passive mode) or the active-secondary firewall (in active/active mode) will wait before taking over as the active or active-primary firewall after communications with the HA peer have been lost. This hold time will begin only after the peer failure declaration has been made.
Additional master hold up time
Time interval that is applied to the same event as Monitor Fail Hold Up Time (range 0-60000 ms, default 500 ms). The additional time interval is applied only to the active firewall in active/passive mode and to the active-primary firewall in active/active mode. This timer is recommended to avoid a failover when both firewalls experience the same link/path monitor failure simultaneously.
Interval in milliseconds between hello packets that are sent to verify that the HA functionality on the other firewall is operational. The range is 8000-60000 ms with a default of 8000 ms for all platforms.
Maximum no. of flaps
A flap is counted when one of the following occurs:
In the case of a failed preemption or non-functional loop, this value indicates the maximum number of flaps that are permitted before the firewall is suspended (range 0-16; default 3).
Recommended For You
Recommended videos not found.