Failover
When a failure occurs on one firewall and the peer takes
over the task of securing traffic, the event is called a
failover.
A failover is triggered, for example, when a monitored metric on
a firewall in the HA pair fails. The metrics that are monitored
for detecting a firewall failure are:
Heartbeat
Polling and Hello messages
The firewalls use hello message
and heartbeats to verify that the peer firewall is responsive and
operational. Hello messages are sent from one peer to the other
at the configured
Hello Interval to verify the state
of the firewall. The heartbeat is an ICMP ping to the HA peer over
the control link, and the peer responds to the ping to establish
that the firewalls are connected and responsive. By default, the
interval for the heartbeat is 1000 milliseconds. A ping is sent
every 1000 milliseconds and if there are three consecutive heartbeat
losses, a failovers occurs. For details on the HA timers that trigger
a failover, see
HA
Timers.
Link Monitoring
The
physical interfaces to be monitored are grouped into a link group
and their state (link up or link down) is monitored. A link group
can contain one or more physical interfaces. A firewall failure
is triggered when any or all of the interfaces in the group fail.
The default behavior is failure of any one link in the link group
will cause the firewall to change the HA state to non-functional
(or to tentative state in active/active mode) to indicate a failure
of a monitored object.
Path Monitoring
Monitors
the full path through the network to mission-critical IP addresses. ICMP
pings are used to verify reachability of the IP address. The default
interval for pings is 200ms. An IP address is considered unreachable
when 10 consecutive pings (the default value) fail, and a firewall
failure is triggered when any or all of the IP addresses monitored
become unreachable. The default behavior is any one of the IP addresses
becoming unreachable will cause the firewall to change the HA state
to non-functional (or to tentative state in active/active mode)
to indicate a failure of a monitored object.
In addition to the failover triggers listed above, a failover
also occurs when the administrator suspends the firewall or when
preemption occurs.
On PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls,
a failover can occur when an internal health check fails. This health
check is not configurable and is enabled to monitor the critical
components, such as the FPGA and CPUs. Additionally, general health
checks occur on any platform, causing failover.