High Availability (HA) Election Settings in Palo Alto Networks Firewalls

Overview

In a High Availability (HA) configuration, Palo Alto Networks firewalls use election settings to determine which device should assume the active role. These settings are crucial for ensuring seamless failover and optimal network performance.

Key Election Settings

• Device Priority: A numerical value (0-255) assigned to each firewall. The firewall with the lower value has higher priority and is preferred to become active. [Source]
• Preemptive: When enabled on both firewalls, the device with higher priority will automatically resume the active role upon recovery from a failure. If disabled, the recovered device remains passive until manually promoted. [Source]
• Heartbeat Backup: Enables heartbeat messages over the management interface, providing redundancy for HA1 link failures and preventing split-brain scenarios. [Source]
• HA Timer Profiles: Determines the sensitivity and speed of failover detection. Options include:
  • Recommended: Default settings suitable for most environments.
  • Aggressive: Faster detection and failover, suitable for environments requiring quick recovery.
  • Advanced: Allows customization of individual timer values for specialized requirements. [Source]

Configuration Steps

1. Navigate to Device > High Availability > General > Election Settings .
2. Set the Device Priority for each firewall. Lower values indicate higher priority.
3. Enable or disable the Preemptive option based on your desired failover behavior.
4. Enable Heartbeat Backup if using the management interface for redundancy.
5. Select the appropriate HA Timer Profile or customize timers under the Advanced option.
6. Commit the configuration changes to apply the settings.

Best Practices

• Ensure both firewalls have identical configurations and software versions.
• Use dedicated interfaces for HA links to prevent interference with regular traffic.
• Regularly monitor HA status and logs to detect and address issues promptly.
• Test failover scenarios periodically to ensure HA functionality operates as expected.

PCNSE Practice Questions: HA Election Settings

1. Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?
   A. Hello Interval
   B. Monitor Fail Hold Up Time
   C. Heartbeat Interval
   D. Promotion Hold Time
   Answer: A
   Explanation: The Hello Interval defines how often hello packets are sent to verify the operational status of the peer firewall. Source
2. In a preemptive active/passive HA configuration, firewall-02 has a device priority of 100, and firewall-01 has a device priority of 90. If firewall-01 reboots, what action is taken?
   A. No action; firewall-01 cannot be rebooted with a lower device priority.
   B. No action; firewall-02 remains active-primary.
   C. Firewall-02 becomes active-primary; firewall-01 resumes active-primary role after recovery.
   D. Firewall-02 becomes and remains active-primary after firewall-01 recovers.
   Answer: C
   Explanation: With preemption enabled, the firewall with the lower priority value (higher priority) will resume the active role upon recovery. Source
3. Which HA firewall state describes the firewall that is currently processing traffic in an active/active configuration?
   A. Passive
   B. Initial
   C. Active
   D. Active-primary
   Answer: D
   Explanation: In active/active HA, the active-primary firewall is responsible for specific tasks like session setup and processing traffic. Source
4. Which election setting determines how long a passive firewall waits before taking over as active after detecting a failure?
   A. Hello Interval
   B. Heartbeat Interval
   C. Preemption Hold Time
   D. Monitor Fail Hold Up Time
   Answer: D
   Explanation: The Monitor Fail Hold Up Time specifies the duration a passive firewall waits before transitioning to active state after a failure is detected. Source
5. What is the default behavior when preemption is disabled in an active/passive HA pair?
   A. The passive firewall automatically becomes active upon recovery.
   B. The active firewall remains active until manually failed over.
   C. Both firewalls become active simultaneously.
   D. The firewall with the higher priority value becomes active.
   Answer: B
   Explanation: When preemption is disabled, the active firewall remains in its role until a manual failover is initiated, regardless of priority values. Source

References

• Device Priority and Preemption - PAN-OS
• Configure Active/Passive HA - PAN-OS
• HA General Settings - PAN-OS Web Interface Help