Configure HA Settings
To configure HA settings, select
and then, for each group of settings, specify the corresponding information described in the following table.
Specify the following settings:
Config sync should always be enabled.
Specify or enable the following settings:
(HA1)/Control Link (HA1 Backup)
The firewalls in an HA pair use HA links to synchronize data and maintain state information. Some firewall models have a dedicated Control Link and dedicated backup Control Link; for example, PA-5200 Series firewalls have HA1-A and HA1-B. In this case, you should enable the Heartbeat Backup option in the Elections Settings page. If you are using a dedicated HA1 port for the Control Link HA link and a data port for Control Link (HA Backup), it is recommended that you enable the Heartbeat Backup option.
For firewalls that do not have a dedicated HA port, such as PA-200 and PA-220 firewalls, you should configure the management port for the Control Link HA connection and a data port interface configured with type HA for the Control Link HA1 Backup connection. Because the management port is used in this case, there is no need to enable the Heartbeat Backup option in the Elections Settings page because the heartbeat backups will already occur through the management interface connection.
On the VM-Series firewall in AWS, the management port is used as the HA1 link.
When using a data port for the HA control link, keep in mind that because the control messages have to communicate from the dataplane to the management plane, if a failure occurs in the dataplane, peers cannot communicate HA control link information and a failover will occur. It is best to use the dedicated HA ports, or on firewalls that do not have a dedicated HA port, use the management port.
Specify the following settings for the primary and backup HA control links:
Data Link (HA2)
When an HA2 backup link is configured, failover to the backup link will occur if there is a physical link failure. With the HA2 keep-alive option enabled, the failover will also occur if the HA keep-alive messages fail based on the defined threshold.
Specify the following settings for the primary and backup data link:
Link and Path Monitoring Tab (
Not available for the VM-Series firewall in AWS
Specify the following:
Define one or more path groups to monitor specific destination addresses. To add a path group, click
Addfor the interface type (
Virtual Router) and specify the following:
Specify the following:
Define one or more link groups to monitor specific Ethernet links. To add a link group, specify the following and click
Active/Active Config Tab
Enablepeers to forward packets over the HA3 link for session setup and for Layer 7 inspection (App-ID, Content-ID, and threat inspection) of asymmetrically routed sessions.
Select the data interface you plan to use to forward packets between active/active HA peers. The interface you use must be a dedicated Layer 2 interface set to Interface Type
If the HA3 link fails, the active-secondary peer will transition to the non-functional state.To prevent this condition, configure a Link Aggregation Group (LAG) interface with two or more physical interfaces as the HA3 link. The firewall does not support an HA3 Backup link. An aggregate interface with multiple interfaces will provide additional capacity and link redundancy to support packet forwarding between HA peers.
You must enable jumbo frames on the firewall and on all intermediary networking devices when using the HA3 interface. To enable jumbo frames, select
and select the option to
Enable Jumbo Framein the Session Settings section.
Force synchronization of all virtual routers configured on the HA peers.
Use this option when the virtual router is not configured for dynamic routing protocols. Both peers must be connected to the same next-hop router through a switched network and must use static routing only.
Synchronize the QoS profile selection on all physical interfaces. Use this option when both peers have similar link speeds and require the same QoS profiles on all physical interfaces. This setting affects the synchronization of QoS settings on the
Networktab. QoS policy is synchronized regardless of this setting.
Tentative Hold Time (sec)
When a firewall in an HA active/active configuration fails, it will go into a tentative state. The transition from tentative state to active-secondary state triggers the Tentative Hold Time, during which the firewall attempts to build routing adjacencies and populate its route table before it will process any packets. Without this timer, the recovering firewall would enter the active-secondary state immediately and would blackhole packets because it would not have the necessary routes (default is 60 seconds).
Session Owner Selection
The session owner is responsible for all Layer 7 inspection (App-ID and Content-ID) for the session and for generating all Traffic logs for the session. Select one of the following options to specify how to determine the session owner for a packet:
The firewall responsible for session setup performs Layer 2 through Layer 4 processing (including address translation) and creates the session table entry. Because session setup consumes management plane resources, you can select one of the following options to help distribute the load:
Add, select the
IPv6tab and then click
Addagain to enter options to specify the type of HA virtual address to use: Floating or ARP Load Sharing. You can also mix the type of virtual address types in the pair. For example, you could use ARP load sharing on the LAN interface and a Floating IP on the WAN interface.
Suspend local device
(or Make local device functional)
Places the HA peer in a suspended state, and temporarily disables HA functionality on the firewall. If you suspend the currently active firewall, the other peer will take over.
To place a suspended firewall back into a functional state, use the following operational mode CLI command:
To test failover, you can either uncable the active (or active-primary) firewall or you can click this link to suspend the active firewall.
Configure Active/Active HA
Configure Active/Active HA The following procedure describes the basic workflow for configuring your firewalls in an active/active configuration. However, before you begin, Determine Your Active/Active ...
Configuration Guidelines for Active/Passive HA
Configuration Guidelines for Active/Passive HA To set up an active (PeerA) passive (PeerB) pair in HA, you must configure some options identically on both firewalls ...
Configure Active/Passive HA
Configure Active/Passive HA The following procedure shows how to configure a pair of firewalls in an active/passive deployment as depicted in the following example topology. ...
HA Links and Backup Links
HA Links and Backup Links The firewalls in an HA pair use HA links to synchronize data and maintain state information. Some models of the ...
Use Case: Configure Active/Active HA with Floating IP Addre...
Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall In mission-critical data centers, you may want both Layer 3 HA firewalls ...
Use Case: Configure Active/Active HA with Source DIPP NAT U...
Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses This Layer 3 interface example uses source NAT in Active/Active HA Mode ...
Ports Used for HA
Ports Used for HA Firewalls configured as High Availability (HA) peers must be able to communicate with each other to maintain state information (HA1 control ...
Use Case: Configure Active/Active HA for ARP Load-Sharing w...
Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT This Layer 3 interface example uses NAT in Active/Active HA Mode and ARP Load-Sharing ...
Define HA Failover Conditions
Define HA Failover Conditions Perform the following task to define failover conditions and thus establish what will cause a firewall in an HA pair to ...