LACP and LLDP Pre-Negotiation for Active/Passive HA
If a firewall uses LACP or LLDP, negotiation of those
protocols upon failover prevents sub-second failover. However, you
can enable an interface on a passive firewall to negotiate LACP
and LLDP prior to failover. Thus, a firewall in Passive or Non-functional HA
state can communicate with neighboring devices using LACP or LLDP.
Such pre-negotiation speeds up failover.
The PA-3000 Series, PA-5000 Series, and PA-7000 Series firewalls
support a pre-negotiation configuration depending on whether the
Ethernet or AE interface is in a Layer 2, Layer 3, or virtual wire
deployment. An HA passive firewall handles LACP and LLDP packets
in one of two ways:
—The firewall has LACP or LLDP configured
on the interface and actively participates in LACP or LLDP pre-negotiation,
—LACP or LLDP is not configured on the interface
and the firewall does not participate in the protocol, but allows
the peers on either side of the firewall to pre-negotiate LACP or
Pre-negotiation is not supported on subinterfaces or tunnel interfaces.