Focus

Define HA Failover Conditions

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure Active/Passive HA

Verify Failover

Define HA Failover Conditions

Perform the following task to define failover conditions and thus establish what will cause a firewall in an HA pair to fail over, an event where the task of securing traffic passes from the previously active firewall to its HA peer. The HA Overview describes conditions that cause a failover.

If you are using SNMPv3 to monitor the firewalls, note that the SNMPv3 Engine ID is synchronized between the HA pair. For information on setting up SNMP, see Forward Traps to an SNMP Manager. Because the EngineID is generated using the firewall serial number, on the VM-Series firewall you must apply a valid license in order to obtain a unique EngineID for each firewall.

To configure link monitoring, define the interfaces you want to monitor. A change in the link state of these interfaces will trigger a failover.
1. Select DeviceHigh AvailabilityLink and Path Monitoring and Add a Link Group.
2. Name the Link Group, Add the interfaces to monitor, and select the Failure Condition for the group. The Link group you define is added to the Link Group section.
(Optional) Modify the failure condition for the Link Groups that you configured (in the preceding step) on the firewall.
By default, the firewall will trigger a failover when any monitored link fails.
1. Select the Link Monitoring section.
2. Set the Failure Condition to All.
  The default setting is Any.
To configure path monitoring, define the destination IP addresses that the firewall should ping to verify network connectivity.
1. In the Path Group section of the DeviceHigh AvailabilityLink and Path Monitoring tab, pick the Add option for your set up: Virtual Wire, VLAN, or Virtual Router.
2. Select the appropriate item for the Name and Add the IP addresses (source and/or destination, as prompted) that you wish to monitor. Then select the Failure Condition for the group. The path group you define is added to the Path Group section.
(Optional) Modify the failure condition for all Path Groups configured on the firewall.
By default, the firewall will trigger a failover when any monitored path fails.
Set the Failure Condition to All.
The default setting is Any.
Commit the configuration.

Configure Active/Passive HA

Verify Failover

Next-Generation Firewall Docs

Define HA Failover Conditions

Next-Generation Firewall Docs

Define HA Failover Conditions

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner