Prisma SD-WAN Branch HA Key Concepts
Table of Contents
Expand all | Collapse all
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure a Site Prefix
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Loopback Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure Multicast
- Create a WAN Multicast Configuration Profile
- Assign WAN Multicast Configuration Profiles to Branch Sites
- Configure a Multicast Source at a Branch Site
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
- Prisma SD-WAN Incident Policies
-
- Prisma SD-WAN Branch HA Key Concepts
- Configure Branch HA
- Configure HA Groups
- Add ION Devices to HA Groups
- View Device Configuration of HA Groups
- Edit HA Groups and Group Membership
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Configure Branch HA in a Hybrid Topology with Gen-1 (3000) and Gen-2 (3200) Platforms
- Prisma SD-WAN Incidents and Alerts
Prisma SD-WAN Branch HA Key Concepts
Let us understand the Prisma SD-WAN branch HA key concepts.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Priority is assigned to devices to dictate preference during election. For example,
certain topologies may require that a particular device be active while the other
remains as a backup device. In such cases, an administrator can assign a higher priority
to the device with higher preference to dictate which device becomes active during
election, with the highest priority being 255. It is recommended to have a minimum
difference of at least 40 between the priorities of an active ION device and a backup
ION device.
Preemption is enabled at the HA group level to automatically
force a switchover to the device with a higher priority.
- If enabled, it dictates that a re-election within the group be forced whenever there is a priority change that results in the current active device’s priority to be less than that of the backup device.
- If disabled, it dictates that an election not happen as long as the current active device has an effective priority greater than 0, which means it has not experienced a critical failure.
Advertisement Interval—Prisma SD-WAN uses VRRP to determine HA peer liveliness at
specified intervals. At the HA group level, an administrator will specify the interval
in which the active device will advertise its priority to the other members of the HA
group. This can be a value between 1 - 10 seconds. If no advertisement is received by
the backup device for 3 consecutive advertisement intervals, it assumes that the active
device is unavailable and will begin its transition to the active state.
Interface Tracking—Each device will automatically track
the state of the HA-control interface, and upon a failure of the
interface, the device will immediately transition to a failed state,
giving way to the other device in the HA group to become active.
In addition, an administrator can optionally configure up to four
non-HA control interfaces to track, and for each interface that
goes down the HA priority of the device will be reduced by the configured
value.
Administration—The devices in an HA group can be administratively
disabled from participating in an HA group for operational reasons.
When a device is disabled in a group, it will withdraw from the
group and become a passive device. For example, in Returned Merchandise
Authorization (RMA) scenarios, an administrator can administratively
bring down and bring up a device. Similarly, before a software upgrade,
an administrator can mark the device as disabled to perform the
software upgrade and then enable the device in the HA group after
the software upgrade is complete.
DHCP Server—The devices will automatically synchronize
DHCP server leases from active to backup, so that the backup device,
when active, can continue to perform all the functions of an active
device.
HA Status—HA group status can be displayed for current
active and backup devices with the last switchover time and the
reason for the switchover.
Configuration Management—The device configuration may
need to be identical on both devices, depending on the topology.
- If the configuration is applied at the site level (For example, network path policy, QoS policy, etc.), the same policy is applied to both the devices.
- If the configuration was executed at the device level (For example, NAT port forwarding, security zone binding at the interface level, etc.) the policy/configuration needs to be applied to both the devices. This applies to other configurations as well.