Palo Alto HA

on

 HA cluster : 2 identical

P/A: support L2, L3 and VW. 

A/A: support L3 and VW.

PA200 only support HA lite which is not stateful 


HA1: Control Plane Link (L3): heartbeat, HA state info, routing sync, user-ID info.

HA2: Data Plane Link (L2, stateful link): sync sessions, FIB, IPsec sa, ARP.

HA3: For A/A, forward packet

heartbeat backup can run on mgmt interface


Preemptive: lower number has high priority


The 'Heartbeat' message is an ICMP Ping that is sent to its peer every configured 'Heartbeat Interval'. It verifies network connectivity with the HA peer. Hello Message The 'Hello' message is sent from each peer to the other once every configured 'Hello Interval'. It determines if the HA Agent is running. No response is sent by the recipient.


Management interface has dedicated IP, data interface IP  on the active FW, standby FW has no IP. By default, data interface on standby FW is in shutdown status.

When FWs are directly connected in same LAN, HA2 using ethernet Transport protocol, doesn't need an IP address 

admin@PA-916-B(passive)> show interface hardware
total configured hardware interfaces: 3
name                    id    speed/duplex/state        mac address
--------------------------------------------------------------------------------
ethernet1/1             16    ukn/ukn/down(power-down)  00:0c:29:7a:5c:0c
ethernet1/3             18    10000/full/up             00:0c:29:7a:5c:20
ethernet1/4             19    10000/full/up             00:0c:29:7a:5c:2a
aggregation groups: 0

admin@PA-916-A(active)> show high-availability state

Group 5:
  Mode: Active-Passive
  Local Information:
    Version: 1
    Mode: Active-Passive
    State: active (last 51 minutes)
    Device Information:
      Management IPv4 Address: 172.16.1.60/24
      Management IPv6 Address: 
      Jumbo-Frames disabled; MTU 1500
    HA1 Control Links Joint Configuration:
      Encryption Enabled: no
    Election Option Information:
      Priority: 10
      Preemptive: yes
    Version Compatibility:
      Software Version: Match
      Application Content Compatibility: Match
      Anti-Virus Compatibility: Match
      Threat Content Compatibility: Match
      VPN Client Software Compatibility: Match
      Global Protect Client Software Compatibility: Match
      VM License Type: Match
      Plugin Information:
        VMS: Match
    State Synchronization: Complete; type: ethernet
  Peer Information:
    Connection status: up
    Version: 1
    Mode: Active-Passive
    State: passive (last 44 minutes)
    Device Information:
      Management IPv4 Address: 172.16.1.61/24
      Management IPv6 Address:
      Jumbo-Frames disabled; MTU 1500
      Connection up; Primary HA1 link
      Connection up
      Keep-alive config log-only; status up; Primary HA2 Link
        Monitor Hold inactive; Allow settling after failure
    Election Option Information:
      Priority: 100
      Preemptive: yes
  Configuration Synchronization:
    Enabled: yes
    Running Configuration: synchronized
admin@PA-916-A(active)>


====================

heartbeat poll
interface monitor
path monitor

Config:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/set-up-activepassive-ha/configure-activepassive-ha.html



show high-availability state 


HA2 Keepalive

When enabled it monitors the connection stability between the HA pair devices on HA2 connection
   With the HA2 keep-alive option enabled, the failover will also occur if the HA keep-alive messages fail based on the defined threshold


=====To failover traffic from active device to passive =====

 Failover on the current active member with the CLI command:
CLI:
 request high-availability state suspend

GUI:
Device > High Availability > Operational Commands – click Suspend local device for high availability


Restore the suspended firewall to a functional state

CLI:
request high-availability state functional

GUI:
Device > High Availability > Operational Commands – click make local device functional for high availability

================================

Preempt

Need be enabled on both units, priority has lower value wins
Default hold time is 1 mins


Link Monitoring

Tested when link monitoring and preempt are both enabled .

When node 1 has a link failure, failover happens, lost 6 ping packets, node1 LED ALAM turned to red, data ports go to disabled by default in passive node,  then link monitoring no longer works in the passive node, alarm is cleared, since preempt it on, failover happens again, active is back on unit 1, but soon get error and be suspended, failover happens again.



Passive Link Check

Recommended to set to "Auto", which keep port physically up but in a disabled state, this helps reduce convergence time.







Comments

Post a Comment