Device > High Availability
For redundancy, deploy your Palo Alto Networks next-generation firewalls in a high availability configuration. There are two HA deployments:
active/passive—In this deployment, the active peer continuously synchronizes its configuration and session information with the passive peer over two dedicated interfaces. In the event of a hardware or software disruption on the active firewall, the passive firewall becomes active automatically without loss of service. Active/passive HA deployments are supported with all interface modes—virtual-wire, Layer 2 or Layer 3. active/active—In this deployment, both HA peers are active and processing traffic. Such deployments are most suited for scenarios involving asymmetric routing or in cases where you want to allow dynamic routing protocols (OSPF, BGP) to maintain active status across both peers. Active/active HA is supported only in the virtual-wire and Layer 3 interface modes. In addition to the HA1 and HA2 links, active/active deployments require a dedicated HA3 link. HA3 link is used as packet forwarding link for session setup and asymmetric traffic handling.
In an HA pair, both peers must be of the same model, must be running the same PAN-OS and Content Release version, and must have the same set of licenses. In addition, for the VM-Series firewalls, both peers must be on the same hypervisor and must have the same number of CPU cores allocated on each peer.
HA Lite
The PA-200 firewall supports HA lite, a version of active/passive HA that does not include any session synchronization. HA lite does provide configuration synchronization and synchronization of some runtime items. It also supports failover of IPSec tunnels (sessions must be re-established), DHCP server lease information, DHCP client lease information, PPPoE lease information, and the firewall's forwarding table when configured in Layer 3 mode.
Important Considerations for Configuring HA
The subnet that is used for the local and peer IP should not be used anywhere else on the virtual router. The OS and Content Release versions should be the same on each firewall. A mismatch can prevent peer firewalls from synchronizing. The LEDs are green on the HA ports for the active firewall and amber on the passive firewall. To compare the configuration of the local and peer firewalls, using the Config Audit tool on the Device tab by selecting the desired local configuration in the left selection box and the peer configuration in the right selection box. Synchronize the firewalls from the web interface by clicking Push Configuration in the HA widget on the Dashboard. Note that the configuration on the firewall from which you push the configuration overwrites the configuration on the peer firewall. To synchronize the firewalls from the CLI on the active firewall, use the command request high-availability sync-to-remote running-config.
In a High Availability (HA) active/passive configuration with firewalls that use 10 gigabit SFP+ ports, when a failover occurs and the active firewall changes to a passive state, the 10 gigabit Ethernet port is taken down and then brought back up to refresh the port, but does not enable transmit until the firewall becomes active again. If you have monitoring software on the neighboring device, it will see the port as flapping because it is going down and then up again. This is different behavior than the action with other ports, such as the 1 gigabit Ethernet port, which is disabled and still allows transmit, so flapping is not detected by the neighboring device.
Configure HA Settings
To configure HA settings, select Device > High Availability and then, for each group of settings, specify the corresponding information described in the following table.
HA Setting Description
General Tab
Setup Specify the following settings: Enable HA —Activate HA functionality. Group ID —Enter a number to identify the HA pair (1 to 63). This field is required (and must be unique) if multiple HA pairs reside on the same broadcast domain. Description —Enter a description of the HA pair (optional). Mode —Set the type of HA deployment— Active Passive or Active Active. Device ID —In active/active configuration, set the Device ID to determine which peer will be active-primary (set Device ID to 0) and which will be active-secondary (set the Device ID to 1). Enable Config Sync —Select this option to enable synchronization of configuration settings between the peers. As a best practice, config sync should always be enabled. Peer HA1 IP Address —Enter the IP address of the HA1 interface of the peer firewall. Backup Peer HA1 IP Address —Enter the IP address for the peer’s backup control link.
Active/Passive Settings Passive Link State —Select one of the following options to specify whether the data links on the passive firewall should remain up. This option is not available in the VM-Series firewall in AWS. auto —The links that have physical connectivity remain physically up but in a disabled state; they do not participate in ARP learning or packet forwarding. This will help in convergence times during the failover as the time to bring up the links is saved. In order to avoid network loops, do not select this option if the firewall has any Layer 2 interfaces configured. shutdown —Forces the interface link to the down state. This is the default option, which ensures that loops are not created in the network. Monitor Fail Hold Down Time (min) —This value between 1-60 minutes determines the interval in which a firewall will be in a non-functional state before becoming passive. This timer is used when there are missed heartbeats or hello messages due to a link or path monitoring failure.
Election Settings Specify or enable the following settings: Device Priority —Enter a priority value to identify the active firewall. The firewall with the lower value (higher priority) becomes the active firewall (range is 0–255) when the preemptive capability is enabled on both firewalls in the pair. Heartbeat Backup —Uses the management ports on the HA firewalls to provide a backup path for heartbeat and hello messages. The management port IP address will be shared with the HA peer through the HA1 control link. No additional configuration is required. Preemptive —Enables the higher priority firewall to resume active (active/passive) or active-primary (active/active> operation after recovering from a failure. The Preemption option must be enabled on both firewalls for the higher priority firewall to resume active or active-primary operation upon recovery following a failure. If this setting is off, then the lower priority firewall remains active or active-primary even after the higher priority firewall recovers from a failure. HA Timer Settings — Select one of the preset profiles: Recommended —Use for typical failover timer settings Aggressive —Use for faster failover timer settings. To view the preset value for an individual timer included in a profile, select Advanced and click Load Recommended or Load Aggressive. The preset values for your hardware model will be displayed on-screen. Advanced —Allows you to customize the values to suit your network requirement for each of the following timers: Promotion Hold Time —Enter the time that the passive peer (in active/passive mode) or the active-secondary peer (in active/active mode) will wait before taking over as the active or active-primary peer after communications with the HA peer have been lost. This hold time will begin only after the peer failure declaration has been made. Hello Interval —Enter the number of milliseconds between the hello packets sent to verify that the HA program on the other firewall is operational (range is 8,000–60,000; default is 8,000). Heartbeat Interval —Specify how frequently the HA peers exchange heartbeat messages in the form of an ICMP ping (range is 1,000–60,000 ms; no default). The recommended value, for example, on the PA-2000 and below models is 2,000ms. Maximum No. of Flaps —A flap is counted when the firewall leaves the active state within 15 minutes after it last left the active state. You can specify the maximum number of flaps that are permitted before the firewall is determined to be suspended and the passive firewall takes over (range is 0–16; default is 3). The value 0 means there is no maximum (an infinite number of flaps is required before the passive firewall takes over). Preemption Hold Time —Enter the time in minutes that a passive or active-secondary peer waits before taking over as the active or active-primary peer (range is 1–60; default is 1).
Monitor Fail Hold Up Time (ms) —Specify the interval during which the firewall will remain active following a path monitor or link monitor failure. This setting is recommended to avoid an HA failover due to the occasional flapping of neighboring devices (range is 0–60,000ms; default is 0ms). Additional Master Hold Up Time (min) —This time interval is applied to the same event as Monitor Fail Hold Up Time (range is 0–60,000ms; default is 500ms). The additional time interval is applied only to the active peer in active/passive mode and to the active-primary peer in active/active mode. This timer is recommended to avoid a failover when both peers experience the same link/path monitor failure simultaneously.
Control Link (HA1)/Control Link (HA1 Backup) The firewalls in an HA pair use HA links to synchronize data and maintain state information. The recommended configuration for the HA control link connection is to use the dedicated HA1 link between the two firewalls and use the management port as the Control Link (HA Backup) interface. In this case, you do not need to enable the Heartbeat Backup option in the Elections Settings page. If you are using a physical HA1 port for the Control Link HA link and a data port for Control Link (HA Backup), it is recommended that enable the Heartbeat Backup option. For firewalls that do not have a dedicated HA port, such as the PA-200 firewall, you should configure the management port for the Control Link HA connection and a data port interface configured with type HA for the Control Link HA1 Backup connection. Because the management port is used in this case, there is no need to enable the Heartbeat Backup option in the Elections Settings page because the heartbeat backups will already occur through the management interface connection. On the VM-Series firewall in AWS, the management port is used as the HA1 link. When using a data port for the HA control link, keep in mind that because the control messages have to communicate from the dataplane to the management plane, if a failure occurs in the dataplane, peers cannot communicate HA control link information and a failover will occur. It is best to use the dedicated HA ports, or on firewalls that do not have a dedicated HA port, use the management port. Specify the following settings for the primary and backup HA control links: Port —Select the HA port for the primary and backup HA1 interfaces. The backup setting is optional. IPv4/IPv6 Address —Enter the IPv4 or IPv6 address of the HA1 interface for the primary and backup HA1 interfaces. The backup setting is optional. Netmask —Enter the network mask for the IP address (such as 255.255.255.0) for the primary and backup HA1 interfaces. The backup setting is optional. Gateway —Enter the IP address of the default gateway for the primary and backup HA1 interfaces. The backup setting is optional. Link Speed —( Models with dedicated HA ports only ) Select the speed for the control link between the firewalls for the dedicated HA1 port. Link Duplex —( Models with dedicated HA ports only ) Select a duplex option for the control link between the firewalls for the dedicated HA1 port. Encryption Enabled —Enable encryption after exporting the HA key from the HA peer and importing it onto this firewall. The HA key on this firewall must also be exported from this firewall and imported on the HA peer. Configure this setting for the primary HA1 interface. Import/export keys on the Certificates page (refer to Device > Certificate Management > Certificate Profile). Monitor Hold Time (ms) —Enter the length of time (milliseconds) that the firewall will wait before declaring a peer failure due to a control link failure (range is 1,000–60,000; default is 3,000). This option monitors the physical link status of the HA1 port(s).
Data Link (HA2) When an HA2 backup link is configured, failover to the backup link will occur if there is a physical link failure. With the HA2 keep-alive option enabled, the failover will also occur if the HA keep-alive messages fail based on the defined threshold. Specify the following settings for the primary and backup data link: Port —Select the HA port. Configure this setting for the primary and backup HA2 interfaces. The backup setting is optional. IP Address —Specify the IPv4 or IPv6 address of the HA interface for the primary and backup HA2 interfaces. The backup setting is optional. Netmask —Specify the network mask for the HA interface for the primary and backup HA2 interfaces. The backup setting is optional. Gateway —Specify the default gateway for the HA interface for the primary and backup HA2 interfaces. The backup setting is optional. If the HA2 IP addresses of the firewalls are in the same subnet, the Gateway field should be left blank. Enable Session Synchronization —Enable synchronization of the session information with the passive firewall, and choose a transport option. Transport —Choose one of the following transport options: Ethernet —Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261). IP —Use when Layer 3 transport is required (IP protocol number 99). UDP —Use to take advantage of the fact that the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281). The benefit of using UDP mode is the presence of the UDP checksum to verify the integrity of a session sync message. Link Speed —( Models with dedicated HA ports only ) Select the speed for the control link between peers for the dedicated HA2 port. Link Duplex —( Models with dedicated HA ports only ) Select a duplex option for the control link between peers for the dedicated HA2 port. HA2 keep-alive —Select this option to monitor the health of the HA2 data link between HA peers. This option is disabled by default and you can enable it on one or both peers. If enabled, the peers will use keep-alive messages to monitor the HA2 connection to detect a failure based on the Threshold you set (default is 10000 ms). If you enable HA2 keep-alive, the HA2 Keep-alive recovery Action will be taken. Select an Action: Log Only —Logs the failure of the HA2 interface in the system log as a critical event. Select this option for active/passive deployments because the active peer is the only firewall forwarding traffic. The passive peer is in a backup state and is not forwarding traffic; therefore a split datapath is not required. If you have not configured any HA2 Backup links, state synchronization will be turned off. If the HA2 path recovers, an informational log will be generated. Split Datapath —Select this option in active/active HA deployments to instruct each peer to take ownership of their local state and session tables when it detects an HA2 interface failure. Without HA2 connectivity, no state and session synchronization can happen; this action allows separate management of the session tables to ensure successful traffic forwarding by each HA peer. To prevent this condition, configure an HA2 Backup link. Threshold (ms) —The duration in which keep-alive messages have failed before one of the above actions will be triggered (range is 5,000–60,000ms; default is 10,000ms).
Link and Path Monitoring Tab (Not available for the VM-Series firewall in AWS)
Path Monitoring Specify the following: Enabled —Enable path monitoring. Path monitoring enables the firewall to monitor specified destination IP addresses by sending ICMP ping messages to make sure that they are responsive. Use path monitoring for virtual wire, Layer 2, or Layer 3 configurations where monitoring of other network devices is required for failover and link monitoring alone is not sufficient. Failure Condition —Select whether a failover occurs when any or all of the monitored path groups fail to respond.
Path Group Define one or more path groups to monitor specific destination addresses. To add a path group, click Add for the interface type ( Virtual Wire , VLAN, or Virtual Router ) and specify the following: Name —Select a virtual wire, VLAN, or virtual router from the drop-down (the drop-down is populated depending on if you are adding a virtual wire, VLAN, or virtual router path). Enabled —Enable the path group. Failure Condition —Select whether a failure occurs when any or all of the specified destination addresses fails to respond. Source IP —For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address. Destination IPs —Enter one or more (comma-separated) destination addresses to be monitored. Ping Interval —Specify the interval between pings that are sent to the destination address (range is 200–60,000 milliseconds; default is 200 milliseconds). Ping Count —Specify the number of failed pings before declaring a failure (range is 3–10 pings; default is 10 pings).
Link Monitoring Specify the following: Enabled —Enable link monitoring. Link monitoring allows failover to be triggered when a physical link or group of physical links fails. Failure Condition —Select whether a failover occurs when any or all of the monitored link groups fail.
Link Groups Define one or more link groups to monitor specific Ethernet links. To add a link group, specify the following and click Add: Name —Enter a link group name. Enabled —Enable the link group. Failure Condition —Select whether a failure occurs when any or all of the selected links fail. Interfaces —Select one or more Ethernet interfaces to be monitored.
Active/Active Config Tab
Packet Forwarding Enable peers to forward packets over the HA3 link for session setup and for Layer 7 inspection (App-ID, Content-ID, and threat inspection) of asymmetrically routed sessions.
HA3 Interface Select the data interface you plan to use to forward packets between active/active HA peers. The interface you use must be a dedicated Layer 2 interface set to Interface Type HA. If the HA3 link fails, the active-secondary peer will transition to the non-functional state.To prevent this condition, configure a Link Aggregation Group (LAG) interface with two or more physical interfaces as the HA3 link. The firewall does not support an HA3 Backup link. An aggregate interface with multiple interfaces will provide additional capacity and link redundancy to support packet forwarding between HA peers. You must enable jumbo frames on the firewall and on all intermediary networking devices when using the HA3 interface. To enable jumbo frames, select Device > Setup > Session and select the option to Enable Jumbo Frame in the Session Settings section.
VR Sync Force synchronization of all virtual routers configured on the HA peers. Use this option when the virtual router is not configured for dynamic routing protocols. Both peers must be connected to the same next-hop router through a switched network and must use static routing only.
QoS Sync Synchronize the QoS profile selection on all physical interfaces. Use this option when both peers have similar link speeds and require the same QoS profiles on all physical interfaces. This setting affects the synchronization of QoS settings on the Network tab. QoS policy is synchronized regardless of this setting.
Tentative Hold Time (sec) When a firewall in an HA active/active configuration fails, it will go into a tentative state. The transition from tentative state to active-secondary state triggers the Tentative Hold Time, during which the firewall attempts to build routing adjacencies and populate its route table before it will process any packets. Without this timer, the recovering firewall would enter the active-secondary state immediately and would blackhole packets because it would not have the necessary routes (default 60 seconds).
Session Owner Selection The session owner is responsible for all Layer 7 inspection (App-ID and Content-ID) for the session and for generating all Traffic logs for the session. Select one of the following options to specify how to determine the session owner for a packet: First packet —Select this option to designate the firewall that receives the first packet in a session as the session owner. This is the recommended configuration to minimize traffic across HA3 and distribute the dataplane load across peers. Primary Device —Select this option if you want the active-primary firewall to own all sessions. In this case, if the active-secondary firewall receives the first packet, it will forward all packets requiring Layer 7 inspection to the active-primary firewall over the HA3 link.
Session Setup The firewall responsible for session setup performs Layer 2 through Layer 4 processing (including address translation) and creates the session table entry. Because session setup consumes management plane resources, you can select one of the following options to help distribute the load: Primary Device —The active-primary firewall sets up all sessions. IP Modulo —Distributes session setup based on the parity of the source IP address. IP Hash —Distributes session setup based on a hash of the source IP address or source and destination IP address, and hash seed value if you need more randomization. First Packet —The firewall that receives the first packet performs session setup, even in cases where the peer owns the session. This option minimizes traffic over the HA3 link and ensures that the management plane-intensive work of setting up the session always happens on the firewall that receives the first packet.
Virtual Address Click Add, select the IPv4 or IPv6 tab and then click Add again to enter options to specify the type of HA virtual address to use— Floating or ARP Load Sharing. You can also mix the type of virtual address types in the pair. For example, you could use ARP load sharing on the LAN interface and a Floating IP on the WAN interface. Floating —Enter an IP address that will move between HA peers in the event of a link or system failure. Configure two floating IP addresses on the interface, so that each firewall will own one and then set the priority. If either firewall fails, the floating IP address transitions to the HA peer. Device 0 Priority —Set the priority for the firewall with Device ID 0 to determine which firewall will own the floating IP address. A firewall with the lowest value will have the highest priority. Device 1 Priority —Set the priority for the firewall with Device ID 1 to determine which firewall will own the floating IP address. A firewall with the lowest value will have the highest priority. Failover address if link state is down —Use the failover address when the link state is down on the interface. Floating IP bound to the Active-Primary HA device —Select this option to bind the floating IP address to the active-primary peer. In the event one peer fails, traffic is sent continuously to the active-primary peer even after the failed firewall recovers and becomes the active-secondary peer. ARP Load Sharing —Enter an IP address that will be shared by the HA pair and provide gateway services for hosts. This option is only required if the firewall is on the same broadcast domain as the hosts. Select the Device Selection Algorithm: IP Modulo —Select the firewall that will respond to ARP requests based on the parity of the ARP requesters IP address. IP Hash —Select the firewall that will respond to ARP requests based on a hash of the ARP requesters IP address.
Operational Commands
Suspend local device (or Make local device functional) Places the HA peer in a suspended state, and temporarily disables HA functionality on the firewall. If you suspend the currently active firewall, the other peer will take over. To place a suspended firewall back into a functional state, use the following operational mode CLI command: request high-availability state functional To test failover, you can either uncable the active (or active-primary) firewall or you can click this link to suspend the active firewall.

Related Documentation