LACP and LLDP Pre-Negotiation on an HA Passive Firewall
Firewalls in a high availability (HA) active/passive configuration must be able to fail over quickly. If the firewall is using LACP or LLDP, the LACP or LLDP negotiation upon failover prevents sub-second failover. To preempt this negotiation after a passive firewall becomes active, you can now enable an interface on a passive firewall to negotiate LACP and LLDP before a failover occurs. The firewall in passive or non-functional HA state communicates with neighboring devices using LACP or LLDP. Such pre-negotiation speeds up failover because LACP or LLDP is already negotiated before the failover occurs.
The PA-3000 Series, PA-5000 Series, and PA-7000 Series firewalls support a pre-negotiation configuration ( Enable in HA Passive State) as shown in the following table. An HA passive firewall handles LACP and LLDP packets in one of two ways:
Active—The firewall has LACP or LLDP configured on the interface and actively participates in LACP or LLDP pre-negotiation respectively. Passive—LACP or LLDP is not configured on the interface and the firewall does not participate in the protocol but allows the peers on either side of the firewall to pre-negotiate LACP or LLDP respectively.
Use the information in the following topics to determine where and how you can enable LACP and LLDP pre-negotiation on an HA passive firewall:
LACP and LLDP Pre-Negotiation Support
The following table displays what deployments are supported on Ethernet and Aggregate Ethernet (AE) interfaces.
Interface Deployment AE Interface Ethernet Interface
LACP in Layer 2 Active Not supported
LACP in Layer 3 Active Not supported
LACP in Virtual Wire Not supported Passive
LLDP in Layer 2 Active Active
LLDP in Layer 3 Active Active
LLDP in Virtual Wire Active Active if LLDP itself is configured. Passive if LLDP itself is not configured.
Pre-negotiation is not supported on subinterfaces or tunnel interfaces.
Enable LACP and LLDP Pre-Negotiation on an HA Passive Firewall
You should enable LACP and LLDP before you configure HA pre-negotiation if you want the firewall to actively participate in pre-negotiation respectively. Perform the following procedure on both firewalls to configure pre-negotiation.
Enable LACP or LLDP Pre-Negotiation for an Interface on an HA Passive Firewall
Configure active/passive HA. When you configure active/passive HA, set the link state to Auto. Select Device > High Availability > General and edit Active Passive Settings. Set the Passive Link State to Auto.
Select an interface for LACP or LLDP pre-negotiation. Select Network > Interfaces > Ethernet and then enable appropriate pre-negotiation: Enable LACP active pre-negotiation for an HA passive firewall Select an Aggregate Ethernet (AE) interface in a Layer 2 or Layer 3 deployment. On the LACP tab, select Enable in HA Passive State. You cannot also select Same System MAC Address for Active-Passive HA because pre-negotiation requires unique interface MAC addresses on the active and passive firewalls. Click OK. Enable LACP passive pre-negotiation for an HA passive firewall Select an Ethernet interface in a virtual wire deployment. Select the Advanced tab. On the LACP tab, select Enable in HA Passive State. Click OK. Enable LLDP active pre-negotiation for an HA passive firewall If you want to allow LLDP passive pre-negotiation for a virtual wire deployment, perform this step but do not enable LLDP itself. Select an Ethernet interface in Layer 2, Layer 3, or virtual wire deployment. Select the Advanced tab. On the LLDP tab, select Enable in HA Passive State. Click OK.
Save the configuration. Click Commit.
( Optional ) Display pre-negotiation configuration and a summary of all interfaces on which pre-negotiation is enabled. In the web interface, select Dashboard > Widgets > System > High Availability. The passive firewall indicates (Network pre-negotiation enabled). Click that link to display a summary of all interfaces enabled with pre-negotiation. In the CLI, use any of the following operational commands: show lacp aggregate-ethernet all show lldp config all show high-availability pre-negotiation summary

Related Documentation