HA Active/Passive Best Practices

Connecting HA1 and HA2 – A/P

• Use dedicated HA interfaces on the platforms.
• If the firewalls are in the same site/location. Connect HA1 and HA2 links back to back. This helps in convergence.
• Always connect backup links for HA1 and HA2
• HA1 interface should be faster than HA2.
• Recommend HA Heartbeat backup.

Configuring HA settings - Passive Link Settings

• Set the Passive link state to "Auto". Auto setting will bring the interfaces on the passive firewall to UP physical state, the interface will not pass any data traffic.  This facilitates faster failover times.

HA timers

• It is recommended to start with “Recommended” HA timers setting. If needed go with “Aggressive” setting.

HA to act on Network Failures – Link and Path Monitoring

• Have both link and path monitoring enabled.
• Link Monitoring – Monitor all important links for which you need a failover to happen when the link goes down..
• Path Monitoring - Monitor more than one path (prefix). Just do not depend on one path.

Networking– Best Practices

• Graceful Restart (GR) is enabled by default on BGP and OSPF. GR functionality should be enabled on the neighboring routers as well for it to work.

• GR helps maintain the forwarding tables during switchover and does not flush them out. This is a way faster mechanism than depending on the routing protocol to converge.

• If Aggregate Ethernet interfaces (Port Channels) with LACP are used then enable LACP pre-negotiation feature to speed up convergence + passive link state to auto.

• The LACP pre-negotiation feature helps by sending LACP messages out on the passive FW port channel and bring the AE link up beforehand to help in fast failover.