Palo Alto Networks Knowledgebase: In an Active/Passive HA Pair, are Existing Sessions Sync-ed When the Passive Device is Added/Rebooted?

In an Active/Passive HA Pair, are Existing Sessions Sync-ed When the Passive Device is Added/Rebooted?

5740
Created On 02/08/19 00:00 AM - Last Updated 02/08/19 00:00 AM
High Availability
Resolution

Overview

The environment has a single firewall capable of being configured in High Availability (HA). When adding a second firewall and configuring both to be in the same HA group, will the current sessions on the existing firewall be synced to the new passive device?

Details

When the second firewall is configured for High Availability (HA) and added to the group, it begin in the INITIAL state. Once the device has finished initializing and HA control links are established, the firewall will transition to the PASSIVE state. Once the firewall is in the PASSIVE state, it begins receiving session synchronization information for *ALL* sessions (except ICMP) on the active device. Note that this will happen only if there is not a failure condition which prevents the firewall from becoming functional. The diagram below shows the possible state transitions from INITIAL for the second firewall in the scenario above.

If the firewall transitions to the PASSIVE state, it receives session information for the current sessions on the active firewall, as well as any new sessions that are created. For example, the following output shows the session tables of the two firewalls. Note that while the number of sessions is the same, the individual session IDs for each firewall will be different.

Existing Firewall (Active)Second Firewall (passive)

admin@Firewall1(active)> show session all

--------------------------------------------------------------------------------

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

46743   dns            ACTIVE  FLOW  NS   192.168.83.250[64193]/L3-Trust/17  (10.30.6.83[11659])

vsys1                                     4.2.2.2[53]/L3-Untrust  (4.2.2.2[53])

46744   ntp            ACTIVE  FLOW       192.168.83.250[123]/V-Trust/17  (192.168.83.250[123])

vsys1                                     17.171.4.36[123]/V-Untrust  (17.171.4.36[123])

45039   web-browsing   ACTIVE  FLOW  NS   192.168.83.138[1536]/L3-Trust/6  (10.30.6.83[32177])

vsys1                                     74.125.239.136[80]/L3-Untrust  (74.125.239.136[80])

46565   ldap           ACTIVE  FLOW  NS   192.168.83.138[1603]/L3-Trust/17  (10.30.6.83[27608])

vsys1                                     192.168.123.122[389]/L3-Untrust  (192.168.123.122[389])

45904   web-browsing   ACTIVE  FLOW       192.168.83.250[49587]/V-Trust/6  (192.168.83.250[49587])

vsys1                                     74.125.239.40[80]/V-Untrust  (74.125.239.40[80])

46742   dns            ACTIVE  FLOW       192.168.83.250[64193]/V-Trust/17  (192.168.83.250[64193])

vsys1                                     4.2.2.2[53]/V-Untrust  (4.2.2.2[53])

46745   ntp            ACTIVE  FLOW  NS   192.168.83.250[123]/L3-Trust/17  (10.30.6.83[57714])

vsys1                                     17.171.4.36[123]/L3-Untrust  (17.171.4.36[123])

45040   web-browsing   ACTIVE  FLOW  NS   192.168.83.138[1537]/L3-Trust/6  (10.30.6.83[33599])

vsys1                                     74.125.239.136[80]/L3-Untrust  (74.125.239.136[80])

45906   web-browsing   ACTIVE  FLOW  NS   192.168.83.250[49587]/L3-Trust/6  (10.30.6.83[4051])

vsys1                                     74.125.239.40[80]/L3-Untrust  (74.125.239.40[80])

46250   ldap           ACTIVE  FLOW       192.168.122.59[4685]/V-Untrust/17  (192.168.122.59[4685])

vsys1                                     192.168.123.122[389]/V-Trust  (192.168.123.122[389])

46555   ms-ds-smb      ACTIVE  FLOW       192.168.83.250[49745]/V-Trust/6  (192.168.83.250[49745])

vsys1                                     192.168.83.138[445]/V-Untrust  (192.168.83.138[445])

Firewall2(passive)> show session all

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

17      dns            ACTIVE  FLOW  NS   192.168.83.250[64193]/L3-Trust/17  (10.30.6.83[11659])

vsys1                                     4.2.2.2[53]/L3-Untrust  (4.2.2.2[53])

18      ntp            ACTIVE  FLOW       192.168.83.250[123]/V-Trust/17  (192.168.83.250[123])

vsys1                                     17.171.4.36[123]/V-Untrust  (17.171.4.36[123])

1       web-browsing   ACTIVE  FLOW  NS   192.168.83.138[1536]/L3-Trust/6  (10.30.6.83[32177])

vsys1                                     74.125.239.136[80]/L3-Untrust  (74.125.239.136[80])

6       ldap           ACTIVE  FLOW  NS   192.168.83.138[1603]/L3-Trust/17  (10.30.6.83[27608])

vsys1                                     192.168.123.122[389]/L3-Untrust  (192.168.123.122[389])

8       web-browsing   ACTIVE  FLOW       192.168.83.250[49587]/V-Trust/6  (192.168.83.250[49587])

vsys1                                     74.125.239.40[80]/V-Untrust  (74.125.239.40[80])

16      dns            ACTIVE  FLOW       192.168.83.250[64193]/V-Trust/17  (192.168.83.250[64193])

vsys1                                     4.2.2.2[53]/V-Untrust  (4.2.2.2[53])

19      ntp            ACTIVE  FLOW  NS   192.168.83.250[123]/L3-Trust/17  (10.30.6.83[57714])

vsys1                                     17.171.4.36[123]/L3-Untrust  (17.171.4.36[123])

10      web-browsing   ACTIVE  FLOW  NS   192.168.83.138[1537]/L3-Trust/6  (10.30.6.83[33599])

vsys1                                     74.125.239.136[80]/L3-Untrust  (74.125.239.136[80])

11      web-browsing   ACTIVE  FLOW  NS   192.168.83.250[49587]/L3-Trust/6  (10.30.6.83[4051])

vsys1                                     74.125.239.40[80]/L3-Untrust  (74.125.239.40[80])

12      ldap           ACTIVE  FLOW       192.168.122.59[4685]/V-Untrust/17  (192.168.122.59[4685])

vsys1                                     192.168.123.122[389]/V-Trust  (192.168.123.122[389])

13      ms-ds-smb      ACTIVE  FLOW       192.168.83.250[49745]/V-Trust/6  (192.168.83.250[49745])

vsys1                                     192.168.83.138[445]/V-Untrust  (192.168.83.138[445])

owner: cstancill



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWwCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language