ACTIVE/PASSIVE RESILIENT PREVENTION

HIGH AVAILABILITY
• HA components and operation
• Active/passive HA configuration
• Monitoring HA state

EDU-210 Version A
PAN-OS® 9.0
Agenda
After you complete this module,
you should be able to:

• Describe the differences between active/active and active/passive HA

• Define the prerequisites for creating an HA pair
• Describe the metrics used to detect a firewall failure
• Configure the firewall interfaces used for heartbeats and hellos
• Configure an HA pair

2 | © 2019 Palo Alto Networks, Inc.

HA overview

HA components and operation

Active/passive HA configuration

Monitoring HA state
Firewall High Availability
• HA provides:
• Redundancy Active/Passive Active/Active
• Business continuity

• Two deployment modes:

• Active/passive
• Active/active

• Firewalls synchronize their

configurations:
• Networks, objects, policies,
certificates, session tables*

• Not synchronized:
• Management interface
configuration, HA settings, logs,
and ACC information
*Not PA-200
4 | © 2019 Palo Alto Networks, Inc.
Active/Passive HA
• One firewall actively processes traffic Active/Passive
• One firewall synchronized and ready to
process traffic
• No increase in session capacity
• Supports Virtual Wire, Layer 2, and Layer 3
interfaces

5 | © 2019 Palo Alto Networks, Inc.

Active/Active HA
• Both devices in the pair are: Active/Active
• Actively processing
• Passing traffic

• Primarily designed to support asymmetric

routing
• No increase in session capacity
• Not designed to increase throughput
• Supports Virtual Wire and Layer 3
interfaces

6 | © 2019 Palo Alto Networks, Inc.

HA Prerequisites
• Before HA can be enabled, both firewalls must have the same:
• Model
• PAN-OS® version:
• Exception: Temporary version mismatch during software upgrades
• Up-to-date application, URL, and threat databases
• HA interface types
• Licenses
• Matching slot configuration (multi-slot firewall models)

• For VM-Series firewalls, both firewalls must have the same:

• Hypervisor
• Number of CPU cores

7 | © 2019 Palo Alto Networks, Inc.

HA overview

HA components and operation

Active/passive HA configuration

Monitoring HA state
 Active/Passive HA Links

Sync configuration
Mgmt Control Link Control Link Mgmt
(HA1)
Layer 3 link* (HA1)
Plane Plane
Exchange heartbeats and hellos

Sync active sessions

Data Data Link Data Link Data
(HA2)
Layer 2 or 3 link (HA2)
Plane Plane

*Optionally encrypted

9 | © 2019 Palo Alto Networks, Inc.

 Dedicated and Non-Dedicated HA Ports

Dedicated HA ports:
MP HA1 Control link
• PA-800, PA-3000, PA-3200,
PA-5000, PA-7000 Series DP HA2 Data link

Non-dedicated HA ports:
• PA-200 and PA-500 Series MP MGT* Control link
• VM-Series DP eth n/n Data link
• Use MGT/in-band ports for HA
• Set in-band interface type to HA
MP

DP eth n/n Control link

*HA1/HA2 functionality is not supported on
the MGT port configured as a DHCP client. eth n/n Data link

10 | © 2019 Palo Alto Networks, Inc.

HA Backup Links
• Use in-band ports as HA backup links
• Set in-band interface type to HA

Dedicated Port Example Non-Dedicated Port Example

MP HA1 Control link MP

MP MGT Control link

DP eth n/n Backup Control link DP

DP eth n/n Backup Control link

HA2 Data link eth n/n Data link

eth n/n Backup Data link eth n/n Backup Data link

11 | © 2019 Palo Alto Networks, Inc.

PA-7000 Series HA Links
• Dedicated HA Control/Data links and backup links on SMC
• In-band ports are optional for HA2.

SMC HA1-A Control link

HA1-A
Backup Control link SMC
HA1-B HA1-B
HSCI-A Data link
HSCI-A
Backup Data link
HSCI-B HSCI-B

NPC NPC

12 | © 2019 Palo Alto Networks, Inc.

Designating an Active Firewall

Assign device
priorities to both Lower Number Higher Number
firewalls
Switch on failure
Active Passive
Preemption
Enabled?

Automatic failback
after repair

13 | © 2019 Palo Alto Networks, Inc.

Failure Detection
Heartbeats and Hellos

hello hello
Path Groups

Internal Health Checks Link Groups

Link Link
up? up?
IP IP

14 | © 2019 Palo Alto Networks, Inc.

 May have to update
HA Timer Profiles link in notes once
available

Aggressive

Recommended Advanced

• HA timers enable the firewall to detect

failures and trigger failover.
• Timer profiles simplify setting HA timer
settings.
• Advanced enables individual timer
control.

15 | © 2019 Palo Alto Networks, Inc.

Heartbeat Backup on MGT Port
• MGT port can be configured for heartbeat backup, if not already used as an HA
link.
• Useful to help avoid split-brain condition
Redundant MP Connections Non-Redundant MP Connections

MP HA1 Control link MP MGT Enable backup

MGT Enable backup
DP eth n/n Control link
DP eth n/n Backup Control link eth n/n Backup Control link

MP HA1 Control link MP MGT* Control link

MGT* Backup Control link DP eth n/n Backup Control link

*MGT already in HA use *MGT already in HA use
16 | © 2019 Palo Alto Networks, Inc.
HA overview

HA components and operation

Active/passive HA configuration

Monitoring HA state
Prepare In-Band Interfaces
Network > Interfaces > Ethernet > <interface_name>

• In-band Control or Data

links must be type HA.

18 | © 2019 Palo Alto Networks, Inc.

Configuring HA
Device > High Availability

• Device > High

Availability
• Click gear icons to
configure HA

19 | © 2019 Palo Alto Networks, Inc.

Enabling Active/Passive HA

Device > High Availability > General > Setup

Select.
Choose same ID on
both peers (1-63).

Addresses used to connect,

synchronize with, and
monitor peer

20 | © 2019 Palo Alto Networks, Inc.

Configuring the Control Link

Device > High Availability > General

• If there is no
dedicated HA1 If MGT port, uses
current IP address
port, use MGT or
an in-band port.

If in-band (or HA1)

port, choose and
configure IP
address.

Optional HA1 Configure only if

encryption peer on another
subnet.

21 | © 2019 Palo Alto Networks, Inc.

Configuring the Backup Control Link

Device > High Availability > General

Choose an in-band port

and configure an IP
address and netmask.

Only if peer is on
another subnet

22 | © 2019 Palo Alto Networks, Inc.

Configuring the Data Link
Device > High Availability > General
• If there is no Enabled by default
dedicated
HA2 port,
use an in- IP information optional
band port. with ethernet transport

Configure only if peer is

Optional keep- on another subnet.
alive packet;
action of Log
Only appropriate
for active/passive
configuration

23 | © 2019 Palo Alto Networks, Inc.

Configuring the Backup Data Link

Device > High Availability > General

Choose an in-band
port and configure IP
address and netmask

Configure only if peer

is on another subnet

24 | © 2019 Palo Alto Networks, Inc.

Configuring Election Settings

Device > High Availability > General

Firewall with lower

Optional failback to number is active peer.
active after repair? (The
setting must match on
both peers.)

Optional heartbeat and

hellos sent on MGT port

25 | © 2019 Palo Alto Networks, Inc.

Configuring Active/Passive Settings

Device > High Availability > General Enable passive firewall

in-band link state to reduce
failover time (optional).

26 | © 2019 Palo Alto Networks, Inc.

Link Group Monitoring

Device > High Availability > Link and Path Monitoring

Enable link Fail over if any or all

monitoring. Link Group fails

Fail Group if
any link fails

Fail Group if
all links fail

27 | © 2019 Palo Alto Networks, Inc.

Configuring Path Monitoring

Device > High Availability > Link and Path Monitoring

Fail over if any or all

Enable path Path Group fails
monitoring
Fail Group if any
path fails

Fail Group if all

paths fail

28 | © 2019 Palo Alto Networks, Inc.

HA overview

HA components and operation

Active/passive HA configuration

Monitoring HA state
Active/Passive HA Pair Start-Up ACTIVE
state
No

Yes INITIAL Look for Yes Negotiate

FW boot H/W health Peer found?
ok? state peer with peer

No

NON-FUNCTIONAL Yes Config

state mismatch?

Administrator
initiated (testing?) No

SUSPENDED Suspend ACTIVE Yes

Higher device
state firewall state priority?

No
SUSPENDED Suspend PASSIVE
state firewall state

30 | © 2019 Palo Alto Networks, Inc.

Active/Passive Firewall States

Firewall State Description

INITIAL Transient state of a firewall when it joins the HA
pair. The firewall remains in this state after boot-up
until it discovers a peer and negotiations begin.
ACTIVE Normal traffic-handling state
PASSIVE Normal traffic is discarded; might process LLDP and
LACP traffic
SUSPENDED Administratively disabled
NON-FUNCTIONAL Error state

31 | © 2019 Palo Alto Networks, Inc.

Monitor Firewall States

Active Device Passive Device

Dashboard Dashboard

32 | © 2019 Palo Alto Networks, Inc.

System Log

Monitor > Logs > System

33 | © 2019 Palo Alto Networks, Inc.

Module Summary
Now that you have completed this module,
you should be able to:

• Describe the differences between active/active and active/passive HA

• Define the prerequisites for creating an HA pair
• Describe the metrics used to detect a firewall failure
• Configure the firewall interfaces used for heartbeats and hellos
• Configure an HA pair

34 | © 2019 Palo Alto Networks, Inc.

Questions?

Q &&
A
35 | © 2019 Palo Alto Networks, Inc.
High Availability Lab (Pages 254-263 in the Lab Guide)
• Load a firewall lab configuration
• View HA status in the Dashboard
• Configure active/passive HA
• Configure HA monitoring
• Verify HA configuration

36 | © 2019 Palo Alto Networks, Inc.

PROTECTION. DELIVERED.
 This page intentionally left blank

38 | © 2019 Palo Alto Networks, Inc.