Configure HA Settings
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Configure HA Settings
To configure HA settings, select DeviceHigh Availability and then,
for each group of settings, specify the corresponding information
described in the following table.
HA Settings | Description |
---|---|
General Tab | |
Setup | Specify the following settings:
Always enable config sync so that both devices
always have the same configuration and process traffic the same way.
|
Active/Passive Settings |
|
Election Settings | Specify or enable the following settings:
|
| |
Control Link (HA1)/Control Link
(HA1 Backup) | The firewalls in an HA pair use HA links For firewalls that don't have a dedicated HA port, such as the PA-220 firewall, you should
configure the management port for the Control Link HA connection and
a data port interface configured with type HA for the Control Link
HA1 Backup connection. Because the management port is used in this
case, there is no need to enable the Heartbeat Backup option because
the heartbeat backups will already occur through the management
interface connection. On the VM-Series firewall in AWS, the
management port is used as the HA1 link. When
using a data port for the HA control link, keep in mind that because
the control messages have to communicate from the dataplane to the
management plane, if a failure occurs in the dataplane, peers cannot
communicate HA control link information and a failover will occur.
It is best to use the dedicated HA ports, or on firewalls that do
not have a dedicated HA port, use the management port. Specify the following settings for the primary and backup HA control links when you configure Active/Passive
HA or configure Active/Active
HA:
|
Data Link (HA2) When an HA2 backup
link is configured, failover to the backup link will occur if there
is a physical link failure. With the HA2 keep-alive option enabled,
the failover will also occur if the HA keep-alive messages fail
based on the defined threshold. | Specify the following settings for the primary and backup data link when you configure Active/Passive
HA or configure Active/Active
HA:
|
Link and Path Monitoring
Tab (Not available for the VM-Series firewall in AWS) | |
Path Monitoring | Specify the following:
Enable and configure
either path monitoring or link monitoring to help trigger a failover
if a path or link goes down. Configure at least one Path
Group for path monitoring and configure at least one Link Group for
Link Monitoring. |
Path Group | Define one or more path groups to monitor
specific destination addresses. To add a path group, click Add for the
interface type (Virtual Wire, VLAN,
or Virtual Router) and specify the following:
|
Link Monitoring | Specify the following:
Enable and configure either path monitoring
or link monitoring to help trigger a failover if a path or link
goes down. Configure at least one Path Group for path
monitoring and configure at least one Link Group for
Link Monitoring. |
Link Groups | Define one or more link groups to monitor
specific Ethernet links. To add a link group, specify the following
and click Add:
|
Active/Active Config Tab | |
Packet Forwarding | Enable peers to forward
packets over the HA3 link for session setup and for Layer 7 inspection
(App-ID, Content-ID, and threat inspection) of asymmetrically routed
sessions. |
HA3 Interface | Select the data interface you plan to use
to forward packets between active/active HA peers. The interface
you use must be a dedicated Layer 2 interface set to Interface Type HA. If
the HA3 link fails, the active-secondary peer will transition to
the non-functional state.To prevent this condition, configure a
Link Aggregation Group (LAG) interface with two or more physical
interfaces as the HA3 link. The firewall does not support an HA3
Backup link. An aggregate interface with multiple interfaces will
provide additional capacity and link redundancy to support packet
forwarding between HA peers. You must enable jumbo
frames on the firewall and on all intermediary networking devices
when using the HA3 interface. To enable jumbo frames, select DeviceSetupSession and
select the option to Enable Jumbo Frame in
the Session Settings section. |
VR Sync | Force synchronization of all virtual routers
configured on the HA peers. Use this option when the virtual
router is not configured for dynamic routing protocols. Both peers
must be connected to the same next-hop router through a switched
network and must use static routing only. |
QoS Sync | Synchronize the QoS profile selection on
all physical interfaces. Use this option when both peers have similar
link speeds and require the same QoS profiles on all physical interfaces.
This setting affects the synchronization of QoS settings on the Network tab.
QoS policy is synchronized regardless of this setting. |
Tentative Hold Time (sec) | When a firewall in an HA active/active configuration
fails, it will go into a tentative state. The transition from tentative
state to active-secondary state triggers the Tentative Hold Time,
during which the firewall attempts to build routing adjacencies
and populate its route table before it will process any packets.
Without this timer, the recovering firewall would enter the active-secondary
state immediately and would blackhole packets because it would not
have the necessary routes (default is 60 seconds). |
Session Owner Selection | The session owner is responsible for all
Layer 7 inspection (App-ID and Content-ID) for the session and for
generating all Traffic logs for the session. Select one of the following
options to specify how to determine the session owner for a packet:
|
Session Setup | The firewall responsible for session setup
performs Layer 2 through Layer 4 processing (including address translation)
and creates the session table entry. Because session setup consumes
management plane resources, you can select one of the following
options to help distribute the load:
|
Virtual Address | Click Add, select
the IPv4 or IPv6 tab
and then click Add again to enter options
to specify the type of HA virtual address to use: Floating or ARP
Load Sharing. You can also mix the type of virtual address types
in the pair. For example, you could use ARP load sharing on the
LAN interface and a Floating IP on the WAN interface.
|
Operational Commands | |
Suspend local device (or Make local device functional) | The following operational mode CLI command
places the local HA peer in a suspended state and temporarily disables
HA functionality on the firewall. If you suspend the currently active
firewall, the other peer will take over. request high-availability state suspend To
place a suspended firewall back into a functional state, use the following
operational mode CLI command: request
high-availability state functional To test
failover, you can either uncable the active (or active-primary)
firewall or you can click this link to suspend the active firewall. |