When deploying High Availability (Active-Passive) with Palo Alto, failover time can be slow.
Notes on High Availability (Active-Passive) with Palo Alto.
• To optimize failover, adjust timers as recommend in https://live.paloaltonetworks.com/docs/DOC-1094
• Straight-through cables will work for the HA ports, however a crossover cable is preferred.
• To ensure that one firewall “preempts” the other in the pair, enable Preemptive on both firewalls and set the Device Priority of the preferred firewall to a lower number. Lowest priority wins.
• When upgrading a HA cluster, always “suspend” the passive firewall (see above) first, upgrade the passive, make it functional, wait for state synchronization, then suspend and upgrade the active firewall. This ensures no loss of connectivity during an upgrade.
• The LEDs are green on the HA ports for the active firewall and amber on the passive firewall. You can choose to set “passive link state” to “Shutdown” to force the interfaces on the passive firewall to drop link, or “Auto” to keep the link up, but discard all packets. Setting to “Auto” speeds up failover because the physical link will always be up.
• To avoid failover delay, best practice is to enable spanning-tree portfast (or the equivalent) on all switch interfaces that connect to the PAN firewalls in an HA configuration.
• Enabling “Link Monitoring” will trigger failover when Layer-1 link is lost. A “Link Group” can be used to group together multiple links and trigger failover when all are lost, or any one link fails
• Enabling “Path Monitoring” uses ping. Path monitoring enables the firewall to monitor specified destination IP addresses by sending ICMP echo-request messages to make sure that they are responsive. Use path monitoring for virtual wire, Layer 2, or Layer 3 configurations where monitoring of other network devices is required for failover and link monitoring alone is not sufficient. You can define a “Path Group” (just like a “Link Group”) and trigger failover when one IP, or all IPs in the list, fail to respond. List IP addresses only, separated with commas. Ping interval defaults to 5 seconds, range is 1,000ms – 60,000ms.
Managing HA and failover:
• To test failover, pull a cable on the active device, or put the active device into a suspend state by issuing the CLI command request high-availability state suspend. You can also suspend the active device by pressing the Suspend link at the top right corner of the High Availability configuration page on the Device tab.
• To place a suspended device back into a functional state, use the CLI command request high-availability state functional.
• To view detailed HA information about the local firewall, use the CLI command show highavailability all.
• To compare the configuration of the local and peer firewalls, use the CLI command show high-availability state from either device. You can also compare the configurations on the local and peer firewalls using the Config Audit tool on the Device tab by selecting the desired local configuration in the left selection box and the peer configuration in the right selection box.
• Synchronize the firewalls from the web interface by pressing the Push Configuration button located in the HA widget on the Dashboard tab. Note that the configuration on the device from which you push the configuration overwrites the configuration on the peer device. To synchronize the firewalls from the CLI on the active device, use the command request high-availability synctoremote running-config. To view the status of the load, use the CLI command show jobs processed.
How to view status of HA via CLI:
show high-availability all
show high-availability state
show high-availability transitions
Intrusive commands, these will change the state of a firewall (reboot, etc):
request high-availability state suspend
request high-availability state functional
request restart system (Performs a cold boot)