Specify the following settings:
—Activate HA functionality.
—Enter a number to identify the HA pair (1 to 63). This field is required (and must be unique) if multiple HA pairs reside on the same broadcast domain.
—Enter a description of the HA pair (optional).
—Set the type of HA deployment—
—In active/active configuration, set the Device ID to determine which peer will be active-primary (set
0) and which will be active-secondary (set the
Enable Config Sync
—Select this option to enable synchronization of configuration settings between the peers. As a best practice, config sync should always be enabled.
Peer HA1 IP Address
—Enter the IP address of the HA1 interface of the peer firewall.
Backup Peer HA1 IP Address
—Enter the IP address for the peer’s backup control link.
Passive Link State
—Select one of the following options to specify whether the data links on the passive firewall should remain up. This option is not available in the VM-Series firewall in AWS.
—The links that have physical connectivity remain physically up but in a disabled state; they do not participate in ARP learning or packet forwarding. This will help in convergence times during the failover as the time to bring up the links is saved. In order to avoid network loops, do not select this option if the firewall has any Layer 2 interfaces configured.
—Forces the interface link to the down state. This is the default option, which ensures that loops are not created in the network.
Monitor Fail Hold Down Time (min)
—This value between 1-60 minutes determines the interval in which a firewall will be in a non-functional state before becoming passive. This timer is used when there are missed heartbeats or hello messages due to a link or path monitoring failure.
Specify or enable the following settings:
—Enter a priority value to identify the active firewall. The firewall with the lower value (higher priority) becomes the active firewall (range is 0–255) when the preemptive capability is enabled on both firewalls in the pair.
—Uses the management ports on the HA firewalls to provide a backup path for heartbeat and hello messages. The management port IP address will be shared with the HA peer through the HA1 control link. No additional configuration is required.
—Enables the higher priority firewall to resume active (active/passive) or active-primary (active/active> operation after recovering from a failure. The Preemption option must be enabled on both firewalls for the higher priority firewall to resume active or active-primary operation upon recovery following a failure. If this setting is off, then the lower priority firewall remains active or active-primary even after the higher priority firewall recovers from a failure.
HA Timer Settings
— Select one of the preset profiles:
—Use for typical failover timer settings
—Use for faster failover timer settings.
To view the preset value for an individual timer included in a profile, select
Load Aggressive. The preset values for your hardware model will be displayed on-screen.
—Allows you to customize the values to suit your network requirement for each of the following timers:
Promotion Hold Time
—Enter the time that the passive peer (in active/passive mode) or the active-secondary peer (in active/active mode) will wait before taking over as the active or active-primary peer after communications with the HA peer have been lost. This hold time will begin only after the peer failure declaration has been made.
—Enter the number of milliseconds between the hello packets sent to verify that the HA program on the other firewall is operational (range is 8,000–60,000; default is 8,000).
—Specify how frequently the HA peers exchange heartbeat messages in the form of an ICMP ping (range is 1,000–60,000 ms; no default). The recommended value, for example, on the PA-2000 and below models is 2,000ms.
Maximum No. of Flaps
—A flap is counted when the firewall leaves the active state within 15 minutes after it last left the active state. You can specify the maximum number of flaps that are permitted before the firewall is determined to be suspended and the passive firewall takes over (range is 0–16; default is 3). The value 0 means there is no maximum (an infinite number of flaps is required before the passive firewall takes over).
Preemption Hold Time
—Enter the time in minutes that a passive or active-secondary peer waits before taking over as the active or active-primary peer (range is 1–60; default is 1).
Monitor Fail Hold Up Time (ms)
—Specify the interval during which the firewall will remain active following a path monitor or link monitor failure. This setting is recommended to avoid an HA failover due to the occasional flapping of neighboring devices (range is 0–60,000ms; default is 0ms).
Additional Master Hold Up Time (min)
—This time interval is applied to the same event as Monitor Fail Hold Up Time (range is 0–60,000ms; default is 500ms). The additional time interval is applied only to the active peer in active/passive mode and to the active-primary peer in active/active mode. This timer is recommended to avoid a failover when both peers experience the same link/path monitor failure simultaneously.
Control Link (HA1)/Control Link (HA1 Backup)
The firewalls in an HA pair use
to synchronize data and maintain state information. The recommended configuration for the HA control link connection is to use the dedicated HA1 link between the two firewalls and use the management port as the Control Link (HA Backup) interface. In this case, you do not need to enable the Heartbeat Backup option in the Elections Settings page. If you are using a physical HA1 port for the Control Link HA link and a data port for Control Link (HA Backup), it is recommended that enable the Heartbeat Backup option.
For firewalls that do not have a dedicated HA port, such as the PA-200 firewall, you should configure the management port for the Control Link HA connection and a data port interface configured with type HA for the Control Link HA1 Backup connection. Because the management port is used in this case, there is no need to enable the Heartbeat Backup option in the Elections Settings page because the heartbeat backups will already occur through the management interface connection.
On the VM-Series firewall in AWS, the management port is used as the HA1 link.
When using a data port for the HA control link, keep in mind that because the control messages have to communicate from the dataplane to the management plane, if a failure occurs in the dataplane, peers cannot communicate HA control link information and a failover will occur. It is best to use the dedicated HA ports, or on firewalls that do not have a dedicated HA port, use the management port.
Specify the following settings for the primary and backup HA control links:
—Select the HA port for the primary and backup HA1 interfaces. The backup setting is optional.
—Enter the IPv4 or IPv6 address of the HA1 interface for the primary and backup HA1 interfaces. The backup setting is optional.
—Enter the network mask for the IP address (such as 255.255.255.0) for the primary and backup HA1 interfaces. The backup setting is optional.
—Enter the IP address of the default gateway for the primary and backup HA1 interfaces. The backup setting is optional.
Models with dedicated HA ports only
) Select the speed for the control link between the firewalls for the dedicated HA1 port.
Models with dedicated HA ports only
) Select a duplex option for the control link between the firewalls for the dedicated HA1 port.
—Enable encryption after exporting the HA key from the HA peer and importing it onto this firewall. The HA key on this firewall must also be exported from this firewall and imported on the HA peer. Configure this setting for the primary HA1 interface. Import/export keys on the Certificates page (refer to
Device > Certificate Management > Certificate Profile).
Monitor Hold Time (ms)
—Enter the length of time (milliseconds) that the firewall will wait before declaring a peer failure due to a control link failure (range is 1,000–60,000; default is 3,000). This option monitors the physical link status of the HA1 port(s).
Data Link (HA2)
When an HA2 backup link is configured, failover to the backup link will occur if there is a physical link failure. With the HA2 keep-alive option enabled, the failover will also occur if the HA keep-alive messages fail based on the defined threshold.
Specify the following settings for the primary and backup data link:
—Select the HA port. Configure this setting for the primary and backup HA2 interfaces. The backup setting is optional.
—Specify the IPv4 or IPv6 address of the HA interface for the primary and backup HA2 interfaces. The backup setting is optional.
—Specify the network mask for the HA interface for the primary and backup HA2 interfaces. The backup setting is optional.
—Specify the default gateway for the HA interface for the primary and backup HA2 interfaces. The backup setting is optional. If the HA2 IP addresses of the firewalls are in the same subnet, the Gateway field should be left blank.
Enable Session Synchronization
—Enable synchronization of the session information with the passive firewall, and choose a transport option.
—Choose one of the following transport options:
—Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261).
—Use when Layer 3 transport is required (IP protocol number 99).
—Use to take advantage of the fact that the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281). The benefit of using UDP mode is the presence of the UDP checksum to verify the integrity of a session sync message.
Models with dedicated HA ports only
) Select the speed for the control link between peers for the dedicated HA2 port.
Models with dedicated HA ports only
) Select a duplex option for the control link between peers for the dedicated HA2 port.
—Select this option to monitor the health of the HA2 data link between HA peers. This option is disabled by default and you can enable it on one or both peers. If enabled, the peers will use keep-alive messages to monitor the HA2 connection to detect a failure based on the
you set (default is 10000 ms). If you enable HA2 keep-alive, the HA2 Keep-alive recovery Action will be taken. Select an
—Logs the failure of the HA2 interface in the system log as a critical event. Select this option for active/passive deployments because the active peer is the only firewall forwarding traffic. The passive peer is in a backup state and is not forwarding traffic; therefore a split datapath is not required. If you have not configured any HA2 Backup links, state synchronization will be turned off. If the HA2 path recovers, an informational log will be generated.
—Select this option in active/active HA deployments to instruct each peer to take ownership of their local state and session tables when it detects an HA2 interface failure. Without HA2 connectivity, no state and session synchronization can happen; this action allows separate management of the session tables to ensure successful traffic forwarding by each HA peer. To prevent this condition, configure an HA2 Backup link.
—The duration in which keep-alive messages have failed before one of the above actions will be triggered (range is 5,000–60,000ms; default is 10,000ms).
Link and Path Monitoring Tab (Not available for the VM-Series firewall in AWS)
Specify the following:
—Enable path monitoring. Path monitoring enables the firewall to monitor specified destination IP addresses by sending ICMP ping messages to make sure that they are responsive. Use path monitoring for virtual wire, Layer 2, or Layer 3 configurations where monitoring of other network devices is required for failover and link monitoring alone is not sufficient.
—Select whether a failover occurs when any or all of the monitored path groups fail to respond.
Define one or more path groups to monitor specific destination addresses. To add a path group, click
for the interface type (
, VLAN, or
) and specify the following:
—Select a virtual wire, VLAN, or virtual router from the drop-down (the drop-down is populated depending on if you are adding a virtual wire, VLAN, or virtual router path).
—Enable the path group.
—Select whether a failure occurs when any or all of the specified destination addresses fails to respond.
—For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address.
—Enter one or more (comma-separated) destination addresses to be monitored.
—Specify the interval between pings that are sent to the destination address (range is 200–60,000 milliseconds; default is 200 milliseconds).
—Specify the number of failed pings before declaring a failure (range is 3–10 pings; default is 10 pings).
Specify the following:
—Enable link monitoring. Link monitoring allows failover to be triggered when a physical link or group of physical links fails.
—Select whether a failover occurs when any or all of the monitored link groups fail.
Define one or more link groups to monitor specific Ethernet links. To add a link group, specify the following and click
—Enter a link group name.
—Enable the link group.
—Select whether a failure occurs when any or all of the selected links fail.
—Select one or more Ethernet interfaces to be monitored.
Active/Active Config Tab
peers to forward packets over the HA3 link for session setup and for Layer 7 inspection (App-ID, Content-ID, and threat inspection) of asymmetrically routed sessions.
Select the data interface you plan to use to forward packets between active/active HA peers. The interface you use must be a dedicated Layer 2 interface set to Interface Type
If the HA3 link fails, the active-secondary peer will transition to the non-functional state.To prevent this condition, configure a Link Aggregation Group (LAG) interface with two or more physical interfaces as the HA3 link. The firewall does not support an HA3 Backup link. An aggregate interface with multiple interfaces will provide additional capacity and link redundancy to support packet forwarding between HA peers.
You must enable jumbo frames on the firewall and on all intermediary networking devices when using the HA3 interface. To enable jumbo frames, select
Device > Setup > Session
and select the option to
Enable Jumbo Frame
in the Session Settings section.
Force synchronization of all virtual routers configured on the HA peers.
Use this option when the virtual router is not configured for dynamic routing protocols. Both peers must be connected to the same next-hop router through a switched network and must use static routing only.
Synchronize the QoS profile selection on all physical interfaces. Use this option when both peers have similar link speeds and require the same QoS profiles on all physical interfaces. This setting affects the synchronization of QoS settings on the
tab. QoS policy is synchronized regardless of this setting.
Tentative Hold Time (sec)
When a firewall in an HA active/active configuration fails, it will go into a tentative state. The transition from tentative state to active-secondary state triggers the Tentative Hold Time, during which the firewall attempts to build routing adjacencies and populate its route table before it will process any packets. Without this timer, the recovering firewall would enter the active-secondary state immediately and would blackhole packets because it would not have the necessary routes (default 60 seconds).
Session Owner Selection
The session owner is responsible for all Layer 7 inspection (App-ID and Content-ID) for the session and for generating all Traffic logs for the session. Select one of the following options to specify how to determine the session owner for a packet:
—Select this option to designate the firewall that receives the first packet in a session as the session owner. This is the recommended configuration to minimize traffic across HA3 and distribute the dataplane load across peers.
—Select this option if you want the active-primary firewall to own all sessions. In this case, if the active-secondary firewall receives the first packet, it will forward all packets requiring Layer 7 inspection to the active-primary firewall over the HA3 link.
The firewall responsible for session setup performs Layer 2 through Layer 4 processing (including address translation) and creates the session table entry. Because session setup consumes management plane resources, you can select one of the following options to help distribute the load:
—The active-primary firewall sets up all sessions.
—Distributes session setup based on the parity of the source IP address.
—Distributes session setup based on a hash of the source IP address or source and destination IP address, and hash seed value if you need more randomization.
—The firewall that receives the first packet performs session setup, even in cases where the peer owns the session. This option minimizes traffic over the HA3 link and ensures that the management plane-intensive work of setting up the session always happens on the firewall that receives the first packet.
Add, select the
tab and then click
again to enter options to specify the type of HA virtual address to use—
ARP Load Sharing. You can also mix the type of virtual address types in the pair. For example, you could use ARP load sharing on the LAN interface and a Floating IP on the WAN interface.
—Enter an IP address that will move between HA peers in the event of a link or system failure. Configure two floating IP addresses on the interface, so that each firewall will own one and then set the priority. If either firewall fails, the floating IP address transitions to the HA peer.
Device 0 Priority
—Set the priority for the firewall with Device ID 0 to determine which firewall will own the floating IP address. A firewall with the lowest value will have the highest priority.
Device 1 Priority
—Set the priority for the firewall with Device ID 1 to determine which firewall will own the floating IP address. A firewall with the lowest value will have the highest priority.
Failover address if link state is down
—Use the failover address when the link state is down on the interface.
Floating IP bound to the Active-Primary HA device
—Select this option to bind the floating IP address to the active-primary peer. In the event one peer fails, traffic is sent continuously to the active-primary peer even after the failed firewall recovers and becomes the active-secondary peer.
ARP Load Sharing
—Enter an IP address that will be shared by the HA pair and provide gateway services for hosts. This option is only required if the firewall is on the same broadcast domain as the hosts. Select the
Device Selection Algorithm:
—Select the firewall that will respond to ARP requests based on the parity of the ARP requesters IP address.
—Select the firewall that will respond to ARP requests based on a hash of the ARP requesters IP address.
Suspend local device
(or Make local device functional)
Places the HA peer in a suspended state, and temporarily disables HA functionality on the firewall. If you suspend the currently active firewall, the other peer will take over.
To place a suspended firewall back into a functional state, use the following operational mode CLI command:
request high-availability state functional
To test failover, you can either uncable the active (or active-primary) firewall or you can click this link to suspend the active firewall.