High availability (HA) refers to a system or component that is operational without interruption for long periods of time. High availability (HA) is measured as a percentage, with a 100% percent system indicating a service that experiences zero downtime.
High Availability (HA) Overview
While setting up two Palo Alto firewalls as an HA pair, it is essential that HA peers same have same version of PAN-OS device. High availability (HA) minimizes downtime and makes sure that a secondary firewall is available in the event when the active firewall fails. Dedicated HA ports in the firewalls are used to synchronize data, object and policy configurations and maintain state information with passive firewall. There are some Firewall specific configuration which are not synchronized between peers such as management interface IP address and administrator profiles and log data and Application Command Center (ACC).
High Availability Modes:
There are two modes of firewall deployment in HA pair.
Active/Passive: In this mode, one firewall actively manages traffic while the other is synchronized and ready to transition to the active state if a failure occurs in network. Both firewalls in a HA mode share the same configuration settings and one firewall actively manages traffic. When the active firewall fails, the passive firewall transitions to the active state and takes over role as active node. A/P (Active/passive) HA is supported in the virtual wire, Layer 2 and Layer 3 deployments.
Active/Active: In this HA mode, both firewalls in the A/A mode process the traffic and work synchronously to organize session setup and session ownership. Both firewalls individually maintain routing tables and synchronize to each other. A/A (Active/ Active) HA is supported in virtual wire and Layer 3 deployments.
When a failure occurs in network where one firewall goes down and the other peer takes over the role, the event is called a failover. A failover is triggered when heartbeat and hello messages fail to respond, physical link goes down or ICMP response fails. Below is the explanation of each parameter: –
- Heartbeat Polling and Hello messages: Hello message and heartbeat polling is used to verify the status of peer firewall, i.e. whether it is alive and operational. Hello messages are sent from one peer to the other at the configured parameter.
- Link Monitoring: Physical interfaces to be monitored are grouped into a channel group and their state (link up or link down) is monitored.
- Path Monitoring: Path monitoring uses ICMP to verify reachability of the IP address. The default interval for ping is 200ms.
Device Priority and Preemption
Firewalls in a High Availability (HA) pair can be configured with a device priority value to highlight a preference for which firewall should consider as the active. Enable the preemptive behavior on both the firewalls and configure the device priority value for each firewall. Firewall with the lower numerical value, and therefore higher priority, is designated as an active and the other firewall is the act as a passive firewall.
Floating IP Address and Virtual MAC Address
In a HA deployment of A/A mode, floating IP addresses moves from one HA firewall to the other if a link or firewall goes down. Firewall responds to ARP requests with a virtual MAC address. Floating IP addresses are recommended when layer 3 redundancy functionality such as Virtual Router Redundancy Protocol (VRRP) is configured on firewall. It can also be used to implement VPNs and source NAT.
In a HA deployment active/active configuration, ARP load-sharing allows the firewalls to share an IP address and provide gateway services. Use ARP load-sharing, when there is no Layer 3 device between the firewall and end hosts.
In an active/active HA deployment, firewalls use dynamic routing protocols to determine the best path. In such a scenario, no floating IP addresses is necessary. If link failure or any topology changes occurs, routing protocol (RIP, OSPF, or BGP) handles the rerouting of traffic.
HA Firewall States
Configure Active/Passive HA
Configure Active/Active HA
In High availability (HA), two firewalls are combined together in a group and their configuration is synchronized to prevent a single point of failure in a network. A heartbeat connection between the firewall peers keeps sending keep alive signal to ensure entire failover in the event that a peer goes down. Deploy two firewalls in an HA pair provides redundancy and allows you to ensure business continuity with 99.99% uptime.
Related – IPSec VPN Set Up – Palo Alto