Configure HA link monitoring and path monitoring to determine
HA failover to a peer.
Perform the following task to use link monitoring
or path monitoring to define
Failover conditions
and thus establish what will cause a firewall in an HA pair to fail over,
an event where the task of securing traffic passes from the previously
active firewall to its HA peer. The
HA
Overview describes conditions that cause a failover.
You
can monitor multiple IP path groups per virtual router, VLAN, or
virtual wire. You can enable each path group with one or more IP
addresses and give each its own peer failure conditions. Additionally,
you can set these failure conditions at both the path-group level
and the broader virtual router or VLAN or virtual wire group level using
“any” or “all” fail checks to determine the status of the active
firewall.
When you upgrade to PAN-OS 10.0, the firewall automatically
transfers your currently monitored destination IP addresses to a
newly created destination group and gives that group a default path-monitoring
name. The new destination group retains your previous failover condition
at the path-group level.
Ensure that you delete all
VLAN path monitoring configurations in active/active HA before you
upgrade to PAN-OS 10.0 because VLAN path monitoring is not compatible
with active/active HA pairing in PAN-OS 10.0; retaining an earlier active/active
HA configuration results in an autocommit failure.
Before
you enable path monitoring, you must set up your virtual routers,
VLAN, or virtual wires or a combination of these logical networking
components. Path monitoring in virtual routers and virtual wires
is compatible with both active/active and active/passive HA deployments;
however, path monitoring in VLANs is supported only on active/passive
pairs.
Before you enable path monitoring, you must also:
- Check reachability for destination IP groups in your virtual
routers.
- Ensure that the VLANs (for which you intend to enable path monitoring)
include configured interfaces.
- Obtain the source IP address that you will use to receive pings
from the appropriate destination IP address.
If you are using SNMPv3 to monitor the firewalls, note that the SNMPv3 Engine ID is synchronized
between the HA pair. For information on setting up SNMP, see
Forward Traps to
an SNMP Manager. Because the EngineID is generated using the firewall
serial number, on the VM-Series firewall you must apply a valid license in order
to obtain a unique EngineID for each firewall.