Let us understand the Prisma SD-WAN branch HA key concepts.
Prisma SD-WAN enables the election of
an active or backup device through Priority and Preemption configuration.
is assigned to devices to dictate preference
during election. For example, certain topologies may require that
a particular device be active while the other remains as a backup
device. In such cases, an administrator can assign a higher priority
to the device with higher preference to dictate which device becomes
active during election.
is enabled at the HA group level to automatically
force a switchover to the device with a higher priority.
If enabled, it dictates that a re-election within the
group be forced whenever there is a priority change that results
in the current active device’s priority to be less than that of
the backup device.
If disabled, it dictates that an election not happen as long
as the current active device has an effective priority greater than
0, which means it has not experienced a critical failure.
—At the HA group level, an administrator
will specify the interval in which the active device will advertise
its priority to the other members of the HA group. This can be a
value between 1 - 10 seconds. If no advertisement is received by
the backup device for 3 consecutive advertisement intervals, it
assumes that the active device is unavailable and will begin its
transition to the active state.
—Each device will automatically track
the state of the HA-control interface, and upon a failure of the interface,
the device will immediately transition to a failed state, giving
way to the other device in the HA group to become active. In addition,
an administrator can optionally configure up to four non-HA control
interfaces to track, and for each interface that goes down the HA
priority of the device will be reduced by the configured value.
—The devices in an HA group can be administratively
disabled from participating in an HA group for operational reasons.
When a device is disabled in a group, it will withdraw from the
group and become a passive device. For example, in Returned Merchandise
Authorization (RMA) scenarios, an administrator can administratively
bring down and bring up a device. Similarly, before a software upgrade,
an administrator can mark the device as disabled to perform the
software upgrade and then enable the device in the HA group after
the software upgrade is complete.
—The devices will automatically synchronize
DHCP server leases from active to backup, so that the backup device,
when active, can continue to perform all the functions of an active
—HA group status can be displayed for current
active and backup devices with the last switchover time and the reason
for the switchover.
—The device configuration may
need to be identical on both devices, depending on the topology.
If the configuration is applied at the site level (For
example, network path policy, QoS policy, etc.), the same policy is
applied to both the devices.
If the configuration was executed at the device level (For example,
NAT port forwarding, security zone binding at the interface level,
etc.) the policy/configuration needs to be applied to both the devices.
This applies to other configurations as well.