Palo Alto Networks High Availability (HA) Failover Explained

Overview

High Availability (HA) failover in Palo Alto Networks firewalls ensures continuous network security by automatically transferring traffic handling from a failed firewall to its peer. This mechanism minimizes downtime and maintains service continuity.

Failover Triggers

• Heartbeat Loss: If a firewall misses three consecutive heartbeat messages (default interval: 1000ms), a failover is initiated.
• Link Monitoring: Monitors physical interfaces; a failover occurs based on configured failure conditions (e.g., any or all links down).
• Path Monitoring: Monitors reachability to specified IP addresses; failover is triggered when defined thresholds are met.
• Manual Intervention: Administrators can manually trigger failover for maintenance or testing purposes.
• Internal Health Checks: On certain models, internal component failures (e.g., FPGA, CPU) can trigger failover.

Manual Failover Procedures

Using the GUI:

1. Navigate to Device > High Availability > Operational Commands .
2. Click Suspend local device to trigger failover.
3. To restore, click Make local device functional .

Using the CLI:

request high-availability state suspend
request high-availability state functional

These commands suspend and restore the firewall's active state, respectively.

Understanding HA Timer Profiles: Recommended vs. Aggressive

Palo Alto Networks firewalls offer configurable High Availability (HA) timer profiles to manage failover behavior. These profiles— Recommended and Aggressive —provide predefined settings for various HA timers, balancing between failover speed and network stability.

HA Timer Profiles

Timer	Description	Recommended	Aggressive
Monitor Fail Hold Up Time (ms)	Duration the firewall remains active after a path or link monitor failure, preventing failover due to transient issues.	0	0
Preemption Hold Time (min)	Time a passive firewall waits before taking over as active after recovering from a failure.	1	1
Heartbeat Interval (ms)	Frequency at which HA peers exchange heartbeat messages to verify connectivity.	1000	1000
Promotion Hold Time (ms)	Time a passive firewall waits before promoting itself to active after detecting peer failure.	2000	500
Additional Master Hold Up Time (ms)	Extra delay to prevent simultaneous failover when both firewalls detect the same failure.	500	500
Hello Interval (ms)	Interval between hello packets sent to verify HA functionality on the peer firewall.	8000	8000
Flap Max	Maximum number of flaps (failover events) allowed before the firewall is suspended.	3	3

Choosing the Right Profile

• Recommended: Suitable for typical network environments, balancing failover speed and stability.
• Aggressive: Ideal for environments requiring faster failover, such as networks with low-latency requirements.

For more detailed information, refer to the official documentation: HA Timers - Palo Alto Networks .

Monitoring and Verification

GUI:

• Check the High Availability widget on the Dashboard for current HA status.
• Review Monitor > Logs > System for HA-related events.

CLI:

show high-availability state
less mp-log ha_agent.log

These commands provide detailed HA status and logs for troubleshooting.

Mermaid Sequence Diagram: HA Failover Process

The following Mermaid sequence diagram illustrates the High Availability (HA) failover process between two Palo Alto Networks firewalls.

sequenceDiagram
    participant Active as Active Firewall
    participant Passive as Passive Firewall
    participant Monitor as Link/Path Monitor

    Note over Active, Passive: Initial State - Active/Passive

    Monitor->>Active: Detects link/path failure
    Active-->>Passive: Sends failure notification
    Passive->>Passive: Evaluates failover conditions
    alt Failover conditions met
        Passive->>Passive: Promotes to Active
        Active-->>Passive: Demotes to Passive
    else Failover conditions not met
        Passive->>Passive: Remains Passive
    end

    Note over Active, Passive: New State - Active/Passive
  

Best Practices

• Configure both Link Monitoring and Path Monitoring to detect various failure scenarios.
• Ensure HA links (HA1, HA2) are on reliable networks with minimal latency.
• Regularly test failover functionality to confirm proper operation.
• Document HA configurations and procedures for quick reference during incidents.

PCNSE Practice Questions: HA Failover, Timers, and Troubleshooting

Question 1: Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?

• A. Monitor Fail Hold Up Time
• B. Promotion Hold Time
• C. Heartbeat Interval
• D. Hello Interval

Correct Answer: D

Explanation: The Hello Interval defines how often hello packets are sent to verify the functionality of the peer firewall.

Question 2: Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping)?

• A. Hello Interval
• B. Heartbeat Interval
• C. Promotion Hold Time
• D. Monitor Fail Hold Up Time

Correct Answer: B

Explanation: The Heartbeat Interval specifies how often HA peers send ICMP ping messages to verify each other's connectivity.

Question 3: Which statement about High Availability timer settings is true?

• A. Use the Moderate timer for typical failover timer settings.
• B. Use the Critical timer for faster failover timer settings.
• C. Use the Aggressive timer for faster failover timer settings.
• D. Use the Recommended timer for faster failover timer settings.

Correct Answer: C

Explanation: The Aggressive timer profile is designed for environments requiring faster failover, reducing the time it takes for a passive firewall to become active upon detecting a failure.

References

• Failover - Palo Alto Networks
• Verify Failover - Palo Alto Networks