Palo Alto Networks Firewall - Advanced High Availability (HA) Configurations

HA Pairing Process

Establishing an HA pair involves connecting two firewalls to operate in a synchronized manner, ensuring redundancy and seamless failover. The process includes:

1. Physically connecting HA1 (control) and HA2 (data) ports between the firewalls.
2. Configuring HA settings:
   • Set HA mode (Active/Passive or Active/Active).
   • Assign a unique Group ID.
   • Enable configuration synchronization.
3. Setting up control link (HA1) and data link (HA2) interfaces with appropriate IP addressing.
4. Optionally configuring backup links (HA1 Backup and HA2 Backup) for redundancy.
5. Committing the configuration and verifying HA status on both firewalls.

Detailed steps can be found in the official documentation: Configure Active/Passive HA .

HA Timers and Failover Mechanisms

HA timers control the detection of failures and the initiation of failover processes. Key timers include:

• Heartbeat Interval: Frequency of heartbeat messages sent between peers (default: 1000 ms).
• Heartbeat Failures: Number of missed heartbeats before declaring a failure (default: 3).
• Preemption Hold Time: Delay before a higher priority device preempts the active role (default: 1 second).

Failover can be triggered by:

• Failure of monitored links or paths.
• Loss of heartbeat messages.
• Manual suspension of the active firewall.
• System health issues detected by internal checks.

For more information, refer to: Failover .

Link and Path Monitoring

Link and path monitoring enhance HA by detecting failures in interfaces and network paths:

• Link Monitoring: Monitors the state of physical interfaces. Failover occurs if specified links go down.
• Path Monitoring: Monitors the reachability of specified IP addresses by sending ICMP pings. Failover occurs if destinations become unreachable.

Configuration involves defining link groups and path groups with specified failure conditions (e.g., any or all links/paths must fail to trigger failover).

Detailed configuration steps are available here: HA Link and Path Monitoring .

LACP on Passive Firewall

In an Active/Passive HA configuration, enabling LACP on the passive firewall allows for pre-negotiation of LACP sessions. This pre-negotiation ensures that upon failover, the passive firewall can quickly assume the active role without the delay of establishing new LACP sessions.

Configuration Steps:

1. Navigate to Network > Interfaces and select the appropriate Aggregate Ethernet (AE) interface.
2. Within the AE interface settings, go to the LACP tab.
3. Check the option "Enable in HA Passive State" to allow LACP pre-negotiation on the passive firewall.
4. Additionally, ensure that under Device > High Availability > General > Active/Passive Settings , the "Passive Link State" is set to Auto .

Note: LACP pre-negotiation is not supported on VM-Series firewalls and certain hardware models. Ensure compatibility before enabling this feature.

For detailed guidance, refer to the official documentation: LACP and LLDP Pre-Negotiation for Active/Passive HA .

HA Clustering

High Availability (HA) Clustering in Palo Alto Networks firewalls allows multiple firewalls to operate as a single logical unit, providing scalability and redundancy. This setup is beneficial for large-scale deployments requiring high throughput and seamless failover capabilities.

Key Features:

• Cluster Size: Supports up to 16 firewalls in a single cluster, depending on the firewall model.
• Session Synchronization: All cluster members share session state information to ensure uninterrupted traffic flow during failover.
• HA4 Links: Dedicated interfaces (HA4 and HA4 backup) are used for session state synchronization among cluster members.
• Deployment Modes: Supports both Active/Active and Active/Passive configurations within the cluster.

Implementation Steps:

1. Ensure all firewalls are of the same model and PAN-OS version.
2. Configure HA1 (control), HA2 (data), and HA4 (session synchronization) interfaces appropriately.
3. Assign a unique Cluster ID to all members.
4. Enable clustering on each firewall and verify cluster formation.
5. Monitor cluster health and perform failover testing to ensure reliability.

For detailed guidance, refer to the official documentation: HA Clustering Overview .

References

• Configure Active/Passive HA - PAN-OS 10.1 Administration Guide
• HA Clustering Overview - PAN-OS 11.1 Administration Guide
• Configure HA Clustering - PAN-OS 11.1 Administration Guide
• Reference: HA Synchronization - PAN-OS 11.0 Administration Guide
• HA Clustering Best Practices and Provisioning - PAN-OS 10.1 Administration Guide
• LACP and LLDP Pre-Negotiation for Active/Passive HA - PAN-OS 10.1 Administration Guide
• HA Link and Path Monitoring - PAN-OS 11.0 Web Interface Help