>
    Define HA Failover Conditions
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. High Availability
    4. Set Up Active/Passive HA
    5. Define HA Failover Conditions
    Download PDF
    Next-Generation Firewall

    Define HA Failover Conditions

    Table of Contents

    Define HA Failover Conditions

    Define the high availability (HA) failover conditions for active/passive HA firewalls.
    Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • VM-Series, funded with Software NGFW Credits
    • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    Define the link monitoring and path monitoring conditions for your active/passive HA firewalls to define the failover conditions and establish what will cause a firewall in an HA pair to fail over, an event where the task of securing traffic from the previously active firewall to its HA peer. The HA Overview describes the conditions that cause a failover.
    You can monitor multiple IP path groups per logical router or VLAN. You can enable each path group with one or more IP addresses and give each its own peer failure conditions. Additionally, you can set these failure conditions at both the path-group level and the broader logical router or VLAN group level using Any or All fail checks to determine the status of the active firewall.
    Before you enable path monitoring and define the HA failover conditions, you must also:
    • Check reachability for destination IP groups in your logical routers.
    • Ensure that VLANs (for which you intend to enable path monitoring) include configured interfaces.
    • Obtain the source IP address that you’ll use to receive pings from the appropriate destination IP address.
    1. Log in to Strata Cloud Manager.
    2. Configure a Logical Router or Configure a VLAN to establish the Destination IP addresses you want to monitor.
      Before you enable path monitoring, you must set up your logical routers, VLAN, or a combination of these logical networking components.
    3. Configure Active/Passive HA.
    4. Select ManageNGFW and Prisma AccessOverview and select the Folder Configuration Scope that the HA peers are associated with.
    5. In the HA Devices section, edit the HA pair for which you want to define the HA failover conditions.
    6. Select the Failover Condition Settings.
    7. Configure the failover conditions settings for the Primary Device.
      1. Configure the Link Monitoring Failure Condition.
        1. Select the Failure Condition.
          • All of Link Group (default)—Failover occurs when all Link Groups fail.
          • Any of Link Group—Failover occurs when one or more Link Groups fail.
        2. Click +Link Group and select Link Group Failure Condition for the logical routers you want to monitor.
          • All of Link Group (default)—Failure for a Link Group occurs when the firewall is unable to connect to all Destination IP addresses associated with the Link Group.
          • Any of Link Group—Failure for a Link Group occurs when the firewall is unable to connect to any Destination IP addresses associated with the Link Group.
        3. Select the link groups to monitor.
      2. Configure the Path Monitor Failure Condition.
        1. Select the Failure Condition.
          • All of Path Group (default)—Failover occurs when all Path Groups fail.
          • Any of Path Group—Failover occurs when one or more Path Groups fail.
        2. Click +Path Group and select Link Group Failure Condition for the logical routers you want to monitor.
          • All of Link Group (default)—Failure for a Path Group occurs when the firewall is unable to connect to all Destination IP addresses associated with the Path Group.
          • Any of Link Group—Failure for a Path Group occurs when the firewall is unable to connect to any Destination IP addresses associated with the Path Group.
        3. Select the path groups to monitor.
    8. Configure the Link Monitoring Failure Condition and Path Monitoring Failure Condition for the Secondary Device.
    9. Save.
    10. Push Config to push your configuration changes.

    © 2024 Palo Alto Networks, Inc. All rights reserved.