LACP and LLDP Pre-Negotiation for Active/Passive
If a firewall uses LACP or LLDP, negotiation of those
protocols upon failover prevents sub-second failover. However, you
can enable an interface on a passive firewall to negotiate LACP
and LLDP prior to failover. Thus, a firewall in Passive or Non-functional HA
state can communicate with neighboring devices using LACP or LLDP.
Such pre-negotiation speeds up failover.
The PA-3000 Series, PA-5000 Series, PA-5200 Series, and PA-7000
Series firewalls support a pre-negotiation configuration depending
on whether the Ethernet or AE interface is in a Layer 2, Layer 3,
or virtual wire deployment. An HA passive firewall handles LACP
and LLDP packets in one of two ways:
—The firewall has LACP or LLDP configured
on the interface and actively participates in LACP or LLDP pre-negotiation,
—LACP or LLDP is not configured on the interface
and the firewall does not participate in the protocol, but allows
the peers on either side of the firewall to pre-negotiate LACP or
Pre-negotiation is not supported on subinterfaces or tunnel interfaces.