PAN-OS Web Interface Reference
    : Configure HA Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS Web Interface Reference
    4. Device
    5. Device > High Availability
    6. Configure HA Settings
    Download PDF

    PAN-OS Web Interface Reference

    Configure HA Settings

    Table of Contents
    End-of-Life (EoL)

    Configure HA Settings

    To configure HA settings, select DeviceHigh Availability and then, for each group of settings, specify the corresponding information described in the following table.
    HA Settings
    Description
    General Tab
    Setup
    Specify the following settings:
    • Enable HA—Activate HA functionality.
    • Group ID—Enter a number to identify the HA pair (1 to 63). This field is required (and must be unique) if multiple HA pairs reside on the same broadcast domain.
    • Description—(Optional) Enter a description of the HA pair.
    • Mode—Set the type of HA deployment: Active Passive or Active Active.
    • Device ID—In active/active configuration, set the Device ID to determine which peer will be active-primary (set Device ID to 0) and which will be active-secondary (set the Device ID to 1).
    • Enable Config Sync—Select this option to enable synchronization of configuration settings between the peers.
    Always enable config sync so that both devices always have the same configuration and process traffic the same way.
    • Peer HA1 IP Address—Enter the IP address of the HA1 interface of the peer firewall.
    • Backup Peer HA1 IP Address—Enter the IP address for the peer’s backup control link.
      Configure a backup Peer HA1 IP Address so that if the primary link fails, the backup link keeps the devices in sync and up to date.
    Active/Passive Settings
    • Passive Link State—Select one of the following options to specify whether the data links on the passive firewall should remain up. This option is not available in the VM-Series firewall in AWS.
      • auto—The links that have physical connectivity remain physically up but in a disabled state; they do not participate in ARP learning or packet forwarding. This will help in convergence times during the failover as the time to bring up the links is saved. In order to avoid network loops, do not select this option if the firewall has any Layer 2 interfaces configured.
      • shutdown—Forces the interface link to the down state. This is the default option, which ensures that loops are not created in the network.
      If the firewall has no Layer 2 interfaces configured, set the Passive Link State to auto.
    • Monitor Fail Hold Down Time (min) —This value between 1-60 minutes determines the interval in which a firewall will be in a non-functional state before becoming passive. This timer is used when there are missed heartbeats or hello messages due to a link or path monitoring failure.
    Election Settings
    Specify or enable the following settings:
    • Device Priority—Enter a priority value to identify the active firewall. The firewall with the lower value (higher priority) becomes the active firewall (range is 0–255) when the preemptive capability is enabled on both firewalls in the pair.
    • Heartbeat Backup—Uses the management ports on the HA firewalls to provide a backup path for heartbeat and hello messages. The management port IP address will be shared with the HA peer through the HA1 control link. No additional configuration is required.
      Enable Heartbeat Backup if you use an in-band port for the HA1 and HA1 Backup links. Don’t enable Heartbeat Backup if you use the management port for the HA1 or HA1 Backup links.
    • Preemptive—Enables the higher priority firewall to resume active (active/passive) or active-primary (active/active> operation after recovering from a failure. The Preemption option must be enabled on both firewalls for the higher priority firewall to resume active or active-primary operation upon recovery following a failure. If this setting is off, then the lower priority firewall remains active or active-primary even after the higher priority firewall recovers from a failure.
      Whether to enable Preemptive depends on your business requirements. If you require the primary device to be the active device, enable Preemptive so that after recovering from a failure, the primary device preempts the secondary device. If you require the fewest failover events, disable the Preemptive option so that after a failover, the HA pair doesn’t failover again to make the higher priority firewall the primary firewall.
    • HA Timer Settings— Select one of the preset profiles:
      • Recommended: Use for typical failover timer settings. Unless you’re sure that you need different settings, the best practice is to use the Recommended settings.
      • Aggressive: Use for faster failover timer settings.
        To view the preset value for an individual timer included in a profile, select Advanced and click Load Recommended or Load Aggressive. The preset values for your hardware model will be displayed on-screen.
      • Advanced: Allows you to customize the values to suit your network requirement for each of the following timers:
      • Promotion Hold Time—Enter the time that the passive peer (in active/passive mode) or the active-secondary peer (in active/active mode) will wait before taking over as the active or active-primary peer after communications with the HA peer have been lost. This hold time will begin only after the peer failure declaration has been made.
      • Hello Interval—Enter the number of milliseconds between the hello packets sent to verify that the HA program on the other firewall is operational (range is 8,000–60,000; default is 8,000).
      • Heartbeat Interval—Specify how frequently the HA peers exchange heartbeat messages in the form of an ICMP ping (range is 1,000–60,000 ms; no default).
      • Maximum No. of Flaps—A flap is counted when the firewall leaves the active state within 15 minutes after it last left the active state. You can specify the maximum number of flaps that are permitted before the firewall is determined to be suspended and the passive firewall takes over (range is 0–16; default is 3). The value 0 means there is no maximum (an infinite number of flaps is required before the passive firewall takes over).
      • Preemption Hold Time—Enter the time in minutes that a passive or active-secondary peer waits before taking over as the active or active-primary peer (range is 1–60; default is 1).
    • Monitor Fail Hold Up Time (ms)—Specify the interval during which the firewall will remain active following a path monitor or link monitor failure. This setting is recommended to avoid an HA failover due to the occasional flapping of neighboring devices (range is 0 to 60,000ms; default is 0ms).
    • Additional Master Hold Up Time (min)—This time interval is applied to the same event as Monitor Fail Hold Up Time (range is 0 to 60,000ms; default is 500ms). The additional time interval is applied only to the active peer in active/passive mode and to the active-primary peer in active/active mode. This timer is recommended to avoid a failover when both peers experience the same link/path monitor failure simultaneously.
    (HA1)/Control Link (HA1 Backup)
    The firewalls in an HA pair use HA links
    to synchronize data and maintain state information. Some firewall models have a dedicated Control Link and dedicated backup Control Link; for example, PA-5200 Series firewalls have HA1-A and HA1-B. In this case, you should enable the Heartbeat Backup option in the Elections Settings page. If you're using a dedicated HA1 port for the Control Link HA link and a data port for Control Link (HA Backup), it's recommended that you enable the Heartbeat Backup option.
    For firewalls that don't have a dedicated HA port, such as the PA-220 firewall, you should configure the management port for the Control Link HA connection and a data port interface configured with type HA for the Control Link HA1 Backup connection. Because the management port is used in this case, there is no need to enable the Heartbeat Backup option because the heartbeat backups will already occur through the management interface connection.
    On the VM-Series firewall in AWS, the management port is used as the HA1 link.
    When using a data port for the HA control link, keep in mind that because the control messages have to communicate from the dataplane to the management plane, if a failure occurs in the dataplane, peers cannot communicate HA control link information and a failover will occur. It is best to use the dedicated HA ports, or on firewalls that do not have a dedicated HA port, use the management port.
    Specify the following settings for the primary and backup HA control links when you configure Active/Passive HA or configure Active/Active HA:
    • Port—Select the HA port for the primary and backup HA1 interfaces. The backup setting is optional.
    • IPv4/IPv6 Address—Enter the IPv4 or IPv6 address of the HA1 interface for the primary and backup HA1 interfaces. The backup setting is optional.
      PA-3200 Series firewalls don’t support an IPv6 address for backup HA1 interfaces; use an IPv4 address.
    • Netmask—Enter the network mask for the IP address (such as 255.255.255.0) for the primary and backup HA1 interfaces. The backup setting is optional.
    • Gateway—Enter the IP address of the default gateway for the primary and backup HA1 interfaces. The backup setting is optional.
    • Link Speed—(Models with dedicated HA ports only) Select the speed for the control link between the firewalls for the dedicated HA1 port.
    • Link Duplex—(Models with dedicated HA ports only) Select a duplex option for the control link between the firewalls for the dedicated HA1 port.
    • Encryption Enabled—Enable encryption after exporting the HA key from the HA peer and importing it onto this firewall. The HA key on this firewall must also be exported from this firewall and imported on the HA peer. Configure this setting for the primary HA1 interface. Import/export keys on the Certificates page (see Device > Certificate Management > Certificate Profile).
      Enable encryption when firewalls aren’t directly connected (HA1 connections go through network devices that can inspect, process, and/or capture traffic).
    • Monitor Hold Time (ms)—Enter the length of time (milliseconds) that the firewall will wait before declaring a peer failure due to a control link failure (range is 1,000 to 60,000; default is 3,000). This option monitors the physical link status of the HA1 port(s).
    Data Link (HA2)
    When an HA2 backup link is configured, failover to the backup link will occur if there is a physical link failure. With the HA2 keep-alive option enabled, the failover will also occur if the HA keep-alive messages fail based on the defined threshold.
    Specify the following settings for the primary and backup data link when you configure Active/Passive HA or configure Active/Active HA:
    • Port—Select the HA port. Configure this setting for the primary and backup HA2 interfaces. The backup setting is optional.
    • IP Address—Specify the IPv4 or IPv6 address of the HA interface for the primary and backup HA2 interfaces. The backup setting is optional.
    • Netmask—Specify the network mask for the HA interface for the primary and backup HA2 interfaces. The backup setting is optional.
    • Gateway—Specify the default gateway for the HA interface for the primary and backup HA2 interfaces. The backup setting is optional. If the HA2 IP addresses of the firewalls are in the same subnet, the Gateway field should be left blank.
    • Enable Session Synchronization—Enable synchronization of the session information with the passive firewall, and choose a transport option.
      Enable session synchronization so that the secondary device has the session in its dataplane, which allows the firewall to match packets to the synchronized session and quickly forward packets. If you don’t enable session synchronization, the firewall must create the session again, which introduces latency and could drop connections.
    • Transport—Choose one of the following transport options:
      • Ethernet—Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261).
      • IP—Use when Layer 3 transport is required (IP protocol number 99).
      • UDP—Use to take advantage of the fact that the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281). The benefit of using UDP mode is the presence of the UDP checksum to verify the integrity of a session sync message.
    • Link Speed—(Models with dedicated HA ports only) Select the speed for the control link between peers for the dedicated HA2 port.
    • Link Duplex—(Models with dedicated HA ports only) Select a duplex option for the control link between peers for the dedicated HA2 port.
      • HA2 keep-alive—It is a best practice to select this option to monitor the health of the HA2 data link between HA peers. This option is disabled by default and you can enable it on one or both peers. If enabled, the peers will use keep-alive messages to monitor the HA2 connection to detect a failure based on the Threshold you set (default is 10,000 ms). If you enable HA2 keep-alive, the HA2 Keep-alive recovery Action will be taken. Select an Action:
      • Log Only—Logs the failure of the HA2 interface in the system log as a critical event. Select this option for active/passive deployments because the active peer is the only firewall forwarding traffic. The passive peer is in a backup state and is not forwarding traffic; therefore a split datapath is not required. If you have not configured any HA2 Backup links, state synchronization will be turned off. If the HA2 path recovers, an informational log will be generated.
      • Split Datapath—Select this option in active/active HA deployments to instruct each peer to take ownership of their local state and session tables when it detects an HA2 interface failure. Without HA2 connectivity, no state and session synchronization can happen; this action allows separate management of the session tables to ensure successful traffic forwarding by each HA peer. To prevent this condition, configure an HA2 Backup link.
      • Threshold (ms)—The duration in which keep-alive messages have failed before one of the above actions will be triggered (range is 5,000 to 60,000ms; default is 10,000ms).
    Link and Path Monitoring Tab (Not available for the VM-Series firewall in AWS)
    Path Monitoring
    Specify the following:
    • Enabled—Enable path monitoring. Path monitoring enables the firewall to monitor specified destination IP addresses by sending ICMP ping messages to make sure that they are responsive. Use path monitoring for virtual wire, Layer 2, or Layer 3 configurations where monitoring of other network devices is required for failover and link monitoring alone is not sufficient.
    • Failure Condition—Select whether a failover occurs when any or all of the monitored path groups fail to respond.
    Enable and configure either path monitoring or link monitoring to help trigger a failover if a path or link goes down. Configure at least one Path Group for path monitoring and configure at least one Link Group for Link Monitoring.
    Path Group
    Define one or more path groups to monitor specific destination addresses. To add a path group, click Add for the interface type (Virtual Wire, VLAN, or Virtual Router) and specify the following:
    • Name—Select a virtual wire, VLAN, or virtual router from the drop-down (the drop-down is populated depending on if you are adding a virtual wire, VLAN, or virtual router path).
    • Enabled—Enable the path group.
    • Failure Condition—Select whether a failure occurs when any or all of the specified destination addresses fails to respond.
    • Source IP—For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address.
    • Destination IPs—Enter one or more (comma-separated) destination addresses to be monitored.
    • Ping Interval—Specify the interval between pings that are sent to the destination address (range is 200 to 60,000ms; default is 200ms).
    • Ping Count—Specify the number of failed pings before declaring a failure (range is 3 to 10; default is 10).
    Link Monitoring
    Specify the following:
    • Enabled—Enable link monitoring. Link monitoring allows failover to be triggered when a physical link or group of physical links fails.
    • Failure Condition—Select whether a failover occurs when any or all of the monitored link groups fail.
    Enable and configure either path monitoring or link monitoring to help trigger a failover if a path or link goes down. Configure at least one Path Group for path monitoring and configure at least one Link Group for Link Monitoring.
    Link Groups
    Define one or more link groups to monitor specific Ethernet links. To add a link group, specify the following and click Add:
    • Name—Enter a link group name.
    • Enabled—Enable the link group.
    • Failure Condition—Select whether a failure occurs when any or all of the selected links fail.
    • Interfaces—Select one or more Ethernet interfaces to be monitored.
    Active/Active Config Tab
    Packet Forwarding
    Enable peers to forward packets over the HA3 link for session setup and for Layer 7 inspection (App-ID, Content-ID, and threat inspection) of asymmetrically routed sessions.
    HA3 Interface
    Select the data interface you plan to use to forward packets between active/active HA peers. The interface you use must be a dedicated Layer 2 interface set to Interface Type HA.
    If the HA3 link fails, the active-secondary peer will transition to the non-functional state.To prevent this condition, configure a Link Aggregation Group (LAG) interface with two or more physical interfaces as the HA3 link. The firewall does not support an HA3 Backup link. An aggregate interface with multiple interfaces will provide additional capacity and link redundancy to support packet forwarding between HA peers.
    You must enable jumbo frames on the firewall and on all intermediary networking devices when using the HA3 interface. To enable jumbo frames, select DeviceSetupSession and select the option to Enable Jumbo Frame in the Session Settings section.
    VR Sync
    Force synchronization of all virtual routers configured on the HA peers.
    Use this option when the virtual router is not configured for dynamic routing protocols. Both peers must be connected to the same next-hop router through a switched network and must use static routing only.
    QoS Sync
    Synchronize the QoS profile selection on all physical interfaces. Use this option when both peers have similar link speeds and require the same QoS profiles on all physical interfaces. This setting affects the synchronization of QoS settings on the Network tab. QoS policy is synchronized regardless of this setting.
    Tentative Hold Time (sec)
    When a firewall in an HA active/active configuration fails, it will go into a tentative state. The transition from tentative state to active-secondary state triggers the Tentative Hold Time, during which the firewall attempts to build routing adjacencies and populate its route table before it will process any packets. Without this timer, the recovering firewall would enter the active-secondary state immediately and would blackhole packets because it would not have the necessary routes (default is 60 seconds).
    Session Owner Selection
    The session owner is responsible for all Layer 7 inspection (App-ID and Content-ID) for the session and for generating all Traffic logs for the session. Select one of the following options to specify how to determine the session owner for a packet:
    • First packet—Select this option to designate the firewall that receives the first packet in a session as the session owner. This is the best practice configuration to minimize traffic across HA3 and distribute the dataplane load across peers.
    • Primary Device—Select this option if you want the active-primary firewall to own all sessions. In this case, if the active-secondary firewall receives the first packet, it will forward all packets requiring Layer 7 inspection to the active-primary firewall over the HA3 link.
    Session Setup
    The firewall responsible for session setup performs Layer 2 through Layer 4 processing (including address translation) and creates the session table entry. Because session setup consumes management plane resources, you can select one of the following options to help distribute the load:
    • Primary Device—The active-primary firewall sets up all sessions.
    • IP Modulo—Distributes session setup based on the parity of the source IP address.
    • IP Hash—Distributes session setup based on a hash of the source IP address or source and destination IP address, and hash seed value if you need more randomization.
    • First Packet—The firewall that receives the first packet performs session setup, even in cases where the peer owns the session. This option minimizes traffic over the HA3 link and ensures that the management plane-intensive work of setting up the session always happens on the firewall that receives the first packet.
    Virtual Address
    Click Add, select the IPv4 or IPv6 tab and then click Add again to enter options to specify the type of HA virtual address to use: Floating or ARP Load Sharing. You can also mix the type of virtual address types in the pair. For example, you could use ARP load sharing on the LAN interface and a Floating IP on the WAN interface.
    • Floating—Enter an IP address that will move between HA peers in the event of a link or system failure. Configure two floating IP addresses on the interface, so that each firewall will own one and then set the priority. If either firewall fails, the floating IP address transitions to the HA peer.
      • Device 0 Priority—Set the priority for the firewall with Device ID 0 to determine which firewall will own the floating IP address. A firewall with the lowest value will have the highest priority.
      • Device 1 Priority—Set the priority for the firewall with Device ID 1 to determine which firewall will own the floating IP address. A firewall with the lowest value will have the highest priority.
      • Failover address if link state is down—Use the failover address when the link state is down on the interface.
      • Floating IP bound to the Active-Primary HA device—Select this option to bind the floating IP address to the active-primary peer. In the event one peer fails, traffic is sent continuously to the active-primary peer even after the failed firewall recovers and becomes the active-secondary peer.
    • ARP Load Sharing—Enter an IP address that will be shared by the HA pair and provide gateway services for hosts. This option is only required if the firewall is on the same broadcast domain as the hosts. Select the Device Selection Algorithm:
      • IP Modulo—Select the firewall that will respond to ARP requests based on the parity of the ARP requesters IP address.
      • IP Hash—Select the firewall that will respond to ARP requests based on a hash of the ARP requesters IP address.
    Operational Commands
    Suspend local device
    (or Make local device functional)
    The following operational mode CLI command places the local HA peer in a suspended state and temporarily disables HA functionality on the firewall. If you suspend the currently active firewall, the other peer will take over.
    request high-availability state suspend
    To place a suspended firewall back into a functional state, use the following operational mode CLI command:
    request
high-availability state functional
    To test failover, you can either uncable the active (or active-primary) firewall or you can click this link to suspend the active firewall.

    © 2024 Palo Alto Networks, Inc. All rights reserved.