Configuration Guidelines for Active/Passive HA
To set up an active (PeerA) passive (PeerB) pair in HA, you must configure some options identically on both firewalls and some independently (non-matching) on each firewall. These HA settings are not synchronized between the firewalls. For details on what is/is not synchronized, see Reference: HA Synchronization.
The following checklist details the settings that you must configure identically on both firewalls:
- You must enable HA on both firewalls.
- You must configure the same Group ID value on both firewalls. The firewall uses the Group ID value to create a virtual MAC address for all the configured interfaces. See Floating IP Address and Virtual MAC Address for information about virtual MAC addresses. When a new active firewall takes over, it sends Gratuitous ARP messages from each of its connected interfaces to inform the connected Layer 2 switches of the virtual MAC address’ new location.
- If you are using in-band ports as HA links, you must set the interfaces for the HA1 and HA2 links to type HA.
- Set the HA Mode to Active Passive on both firewalls.
- If required, enable preemption on both firewalls. The device priority value, however, must not be identical.
- If required, configure encryption on the HA1 link (for communication between the HA peers) on both firewalls.
- Based on the combination of HA1 and HA1 Backup ports you are using, use the following recommendations to decide whether you should enable heartbeat backup:HA functionality (HA1 and HA1 backup) is not supported on the management interface if it's configured for DHCP addressing (IP Type set to DHCP Client), except for AWS.
- HA1: Dedicated HA1 portHA1 Backup: Dedicated HA1 portRecommendation: Enable Heartbeat Backup
- HA1: Dedicated HA1 portHA1 Backup: In-band portRecommendation: Enable Heartbeat Backup
- HA1: Dedicated HA1 portHA1 Backup: Management portRecommendation: Do not enable Heartbeat Backup
- HA1: In-band portHA1 Backup: In-band portRecommendation: Enable Heartbeat Backup
- HA1: Management portHA1 Backup: In-band portRecommendation: Do not enable Heartbeat Backup
The following table lists the HA settings that you must configure independently on each firewall. See Reference: HA Synchronization for more information about other configuration settings are not automatically synchronized between peers.
Independent Configuration Settings
IP address of the HA1 link configured on this firewall (PeerA).
IP address of the HA1 link configured on this firewall (PeerB).
For firewalls without dedicated HA ports, use the management port IP address for the control link.
The data link information is synchronized between the firewalls after HA is enabled and the control link is established between the firewalls.
By default, the HA2 link uses Ethernet/Layer 2.
If using a Layer 3 connection, configure the IP address for the data link on this firewall (PeerA).
By default, the HA2 link uses Ethernet/Layer 2.
If using a Layer 3 connection, configure the IP address for the data link on this firewall (PeerB).
Device Priority (required, if preemption is enabled)
The firewall you plan to make active must have a lower numerical value than its peer. So, if Peer A is to function as the active firewall, keep the default value of 100 and increment the value on PeerB.
If the firewalls have the same device priority value, they use the MAC address of their HA1 as the tie-breaker.
If PeerB is passive, set the device priority value to a number larger than the setting on PeerA. For example, set the value to 110.
Link Monitoring—Monitor one or more physical interfaces that handle vital traffic on this firewall and define the failure condition.
Select the physical interfaces on the firewall that you would like to monitor and define the failure condition (all or any) to trigger a failover.
Pick a similar set of physical interfaces that you would like to monitor on this firewall and define the failure condition (all or any) to trigger a failover.
Path Monitoring—Monitor one or more destination IP addresses that the firewall can use ICMP pings to ascertain responsiveness.
Define the failure condition (all or any), ping interval and the ping count. This is particularly useful for monitoring the availability of other interconnected networking devices. For example, monitor the availability of a router that connects to a server, connectivity to the server itself, or some other vital device that is in the flow of traffic.
Make sure that the node/device that you are monitoring is not likely to be unresponsive, especially when it comes under load, as this could cause a a path monitoring failure and trigger a failover.
Pick a similar set of devices or destination IP addresses that can be monitored for determining the failover trigger for PeerB. Define the failure condition (all or any), ping interval and the ping count.
Configure Active/Passive HA
Configure Active/Passive HA The following procedure shows how to configure a pair of firewalls in an active/passive deployment as depicted in the following example topology. ...
Configure HA Settings
Configure HA Settings To configure HA settings, select Device High Availability and then, for each group of settings, specify the corresponding information described in the ...
Configure Active/Active HA
Configure Active/Active HA The following procedure describes the basic workflow for configuring your firewalls in an active/active configuration. However, before you begin, Determine Your Active/Active ...
HA Links and Backup Links
HA Links and Backup Links The firewalls in an HA pair use HA links to synchronize data and maintain state information. Some models of the ...
HA Ports on Palo Alto Networks Firewalls
Learn about HA ports available on Palo Alto Networks® firewalls. ...
Ports Used for HA
Ports Used for HA Firewalls configured as High Availability (HA) peers must be able to communicate with each other to maintain state information (HA1 control ...
Prerequisites for Active/Passive HA
Prerequisites for Active/Passive HA To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the following ...
Prerequisites for Active/Active HA
Prerequisites for Active/Active HA To set up active/active HA on your firewalls, you need a pair of firewalls that meet the following requirements: The same ...
HA Overview You can set up two Palo Alto Networks firewalls as an HA pair; the HA peers should use the same version of PAN-OS ...