HA Active/Passive Best Practices
182325
Created On 09/26/18 20:46 PM - Last Modified 06/18/21 20:22 PM
Environment
- Palo Alto Firewall.
- PAN-OS 8.1 and above.
- Active / Passive High Availability (HA) Configuration
Resolution
Connecting HA1 and HA2 – Active/Passive
- Use dedicated HA interfaces on the platforms.
- If the firewalls are in the same site/location. Connect HA1 and HA2 links back to back. This helps in convergence.
- Always connect backup links for HA1 and HA2
- HA2 interface should be of higher bandwidth than HA1.
- Recommend HA Heartbeat backup.
Configuring HA settings - Passive Link Settings
Set the Passive link state to "Auto". Auto setting will bring the interfaces on the passive firewall to UP physical state, the interface will not pass any data traffic. This facilitates faster failover times.
HA timers
It is recommended to start with the “Recommended” HA timers setting. If needed go with the “Aggressive” setting.
HA to act on Network Failures – Link and Path Monitoring
- Enable both Link and path monitoring.
- Link Monitoring - Monitor all important links for which you need a failover to happen when the link goes down..
- Path Monitoring - Monitor more than one path (prefix). Just do not depend on one path.
Networking– Best Practices
- Graceful Restart (GR) is enabled by default on BGP and OSPF. GR functionality should be enabled on the neighboring routers as well for it to work.
- GR helps maintain the forwarding tables during switchover and does not flush them out. This is a way faster mechanism than depending on the routing protocol to converge.
- If Aggregate Ethernet interfaces (Port Channels) with LACP are used then enable LACP pre-negotiation feature to speed up convergence + passive link state to auto.
- The LACP pre-negotiation feature helps by sending LACP messages out on the passive FW port-channel and bring the AE link up beforehand to help in fast failover.