HA Firewall States
An HA firewall can be in one of the following states:
HA Firewall State
A/P or A/A
Transient state of a firewall when it joins the HA pair. The firewall remains in this state after boot-up until it discovers a peer and negotiations begins. After a timeout, the firewall becomes active if HA negotiation has not started.
State of the active firewall in an active/passive configuration.
State of the passive firewall in an active/passive configuration. The passive firewall is ready to become the active firewall with no disruption to the network. Although the passive firewall is not processing other traffic:
In an active/active configuration, state of the firewall that connects to User-ID agents, runs DHCP server and DHCP relay, and matches NAT and PBF rules with the Device ID of the active-primary firewall. A firewall in this state can own sessions and set up sessions.
In an active/active configuration, state of the firewall that connects to User-ID agents, runs DHCP server, and matches NAT and PBF rules with the Device ID of the active-secondary firewall. A firewall in active-secondary state does not support DHCP relay. A firewall in this state can own sessions and set up sessions.
State of a firewall (in an active/active configuration) caused by one of the following:
A firewall in tentative state synchronizes sessions and configurations from the peer.
After the failed path or link clears or as a failed firewall transitions from tentative state to active-secondary state, the Tentative Hold Time is triggered and routing convergence occurs. The firewall attempts to build routing adjacencies and populate its route table before processing any packets. Without this timer, the recovering firewall would enter active-secondary state immediately and would blackhole packets because it would not have the necessary routes.
When a firewall leaves suspended state, it goes into tentative state for the Tentative Hold Time after links are up and able to process incoming packets.
Tentative Hold Time range (sec) can be disabled (which is 0 seconds) or in the range 10-600; default is 60.
A/P or A/A
Error state due to a dataplane failure or a configuration mismatch, such as only one firewall configured for packet forwarding, VR sync or QoS sync.
In active/passive mode, all of the causes listed for Tentative state cause non-functional state.
A/P or A/A
The device is disabled so won’t pass data traffic and although HA communications still occur, the device doesn’t participate in the HA election process. It can’t move to an HA functional state without user intervention.
Configure HA Settings
Configure HA Settings To configure HA settings, select Device High Availability and then, for each group of settings, specify the corresponding information described in the ...
Context Switch—Firewall or Panorama
Context Switch—Firewall or Panorama The Panorama™ web interface enables you to toggle between a Panorama-centric view and a firewall-centric view using the Context drop-down at ...
Failover When a failure occurs on one firewall and the peer takes over the task of securing traffic, the event is called a failover . ...
Firewall Software and Content Updates
Firewall Software and Content Updates To install a software or content update on a managed firewall, first use the Panorama Device Deployment pages to download ...
HA Timers High availability (HA) timers facilitate a firewall to detect a firewall failure and trigger a failover. To reduce the complexity in configuring HA ...
Restore the Primary Panorama to the Active State
Restore the Primary Panorama to the Active State By default, the preemptive capability on Panorama allows the primary Panorama to resume functioning as the active ...
Priority and Failover on Panorama in HA
Priority and Failover on Panorama in HA Each Panorama peer in the HA pair is assigned a priority value. The priority value of the primary ...
Upgrade the VM-Series Model in an HA Pair
Upgrade the VM-Series Model in an HA Pair Upgrading the VM-Series firewall allows you to increase the capacity on the firewall. Capacity is defined in ...
Managed Firewall Information
When a device is added to a template stack, the user has the option of creating device specific variables by copying existing overridden variables from ...