Managing High Availability (HA) Functions: Path Monitoring

Overview

In a High Availability (HA) configuration, Path Monitoring enables Palo Alto Networks firewalls to monitor the health of specific network paths by sending ICMP pings to designated destination IP addresses. If the firewall detects a path failure based on predefined criteria, it can trigger a failover to a peer device, ensuring continuous network availability.

Configuring Path Monitoring

Access Path Monitoring Settings:
- Navigate to Device > High Availability > Link and Path Monitoring .
Enable Path Monitoring:
- In the Path Monitoring section, select the Enabled checkbox.
Add Path Groups:
- Click Add Virtual Router Path , Add VLAN Path , or Add Virtual Wire Path to create a new path group, depending on your network configuration.
- Enter a descriptive Name for the path group.
- Specify the Source IP address that the firewall will use for sending ICMP pings.
- Set the Ping Interval (default: 200ms) and Ping Count (default: 10) to define the frequency and threshold for detecting path failures.
Define Destination IP Addresses:
- Within the path group, click Add to specify one or more Destination IP addresses that the firewall will monitor.
- Assign a Name to the destination group and ensure the Enabled checkbox is selected.
- Set the Failure Condition to Any or All , determining whether the path group is considered down if any or all destination IPs are unreachable.
Set Overall Failure Condition:
- In the Path Monitoring section, define the overall Failure Condition for all path groups:
Commit the Configuration:
- Click Commit to apply the changes.

Note: Ensure that the destination IP addresses selected for path monitoring are reliable and consistently reachable to prevent false positives that could trigger unnecessary failovers.

Failover Behavior When Path Monitoring Fails

In a High Availability (HA) configuration, path monitoring ensures the active firewall maintains connectivity to critical network destinations. If the firewall detects that these paths are unreachable based on the configured failure conditions, it triggers a failover to the passive firewall to maintain network availability.

How Path Monitoring Triggers Failover

Path monitoring operates by sending ICMP pings to specified destination IP addresses. The firewall considers a path failed when a certain number of consecutive pings (defined by the Ping Count) fail. Each path group can have multiple destination IPs and is associated with a failure condition:

Any: The path group fails if any destination IP is unreachable.
All: The path group fails only if all destination IPs are unreachable.

At the global level, the firewall's path monitoring configuration also has a failure condition:

Any: A failover is triggered if any path group fails.
All: A failover is triggered only if all path groups fail.

When the configured failure conditions are met, the active firewall transitions to a non-functional state, and the passive firewall assumes the active role. This process ensures continuous network operations without manual intervention.

Best Practices

Consistent Configuration: Apply identical path monitoring settings across both HA peers to maintain synchronization and predictable failover behavior.
Reliable Destinations: Choose stable and consistently reachable destination IP addresses for path monitoring to avoid false positives.
Adjust Ping Settings: Tailor the ping interval and count settings to balance between sensitivity to path failures and tolerance for transient network issues.
Regular Testing: Periodically test the path monitoring configuration to verify that failover mechanisms operate as intended.

Mermaid Sequence Diagram: HA Path Monitoring Failover

sequenceDiagram participant Admin participant ActiveFW as Active Firewall participant PassiveFW as Passive Firewall participant Destination as Monitored Destination Admin->>ActiveFW: Configure Path Monitoring ActiveFW->>Destination: Send ICMP Ping Destination-->>ActiveFW: No Response ActiveFW->>ActiveFW: Detect Path Failure ActiveFW->>PassiveFW: Initiate Failover PassiveFW->>PassiveFW: Assume Active Role

Sample PCNSE Exam Questions on HA Path Monitoring

Question 1: An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Path Monitoring has been enabled with a Failure Condition of "any." A path group is configured with a Failure Condition of "all" and contains destination IPs 8.8.8.8 and 4.2.2.2, with a Ping Interval of 500ms and a Ping Count of 3. Which scenario will cause the Active firewall to fail over?

A. IP address 8.8.8.8 is unreachable for 1 second.
B. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds.
C. IP address 4.2.2.2 is unreachable for 2 seconds.
D. IP addresses 8.8.8.8 and 4.2.2.2 are unreachable for 1 second.

Correct Answer: B

Explanation: The path group is set to fail when all destinations are unreachable. With a Ping Interval of 500ms and a Ping Count of 3, the firewall considers a destination down after 1.5 seconds (3 x 500ms). Therefore, if both 8.8.8.8 and 4.2.2.2 are unreachable for 2 seconds, the path group fails, and since the overall Failure Condition is "any," this triggers a failover. Source

Question 2: An administrator is observing that one of the firewalls in an HA active/passive pair has moved to a "suspended" state due to a non-functional loop. Which three actions will help the administrator resolve this issue? (Choose three.)

A. Check the HA Link Monitoring interface cables.
B. Check High Availability > Active/Passive Settings > Passive Link State.
C. Check the High Availability > Link and Path Monitoring settings.
D. Check the High Availability > HA Communications > Packet Forwarding settings.
E. Use the CLI command show high-availability flap-statistics .

Correct Answers: A, B, E

Explanation:

A: Verifying the physical connections of the HA Link Monitoring interfaces ensures that there are no loose or disconnected cables causing the issue.
B: Reviewing the Passive Link State settings helps determine if the passive firewall's interfaces are configured correctly to prevent non-functional loops.
E: Utilizing the CLI command show high-availability flap-statistics provides insights into interface flapping events that might lead to HA state changes.

These steps are essential for diagnosing and resolving HA link monitoring issues. Source