How to reboot Firewalls in High-Availability Mode (Active/Passive)

How to reboot Firewalls in High-Availability Mode (Active/Passive)

225383
Created On 09/25/18 19:54 PM - Last Modified 12/14/21 21:59 PM


Environment


  • Palo Alto Firewalls
  • PAN-OS 7.1 and above.
  • High Availability (HA) Configured.

Resolution


Steps

  1. Verify which unit is currently active and which one is currently passive by using the CLI command  > show high-availability state
    or  in the GUI: Dashboard > High Availability section:
    2016-08-31_ha1.pngActive member2016-08-31_ha2.pngPassive member
     
  2. Next, start with rebooting the passive device with the CLI command:
    > request restart system
     
  3. After a couple of minutes, please verify that the passive member has fully rebooted and is in a passive state with the above commands or WebGUI. Once the passive member has been rebooted and you have confirmed its functionality, proceed to manually trigger a failover on the current active member with the CLI command:
    > request high-availability state suspend
    Or from the GUI:  Device > High Availability > Operational Commands - click Suspend local device
    2016-08-31_ha3.png
Suspend local device option in the WebGUI.
 
  1. Verify that the firewall is now in a suspended state before a reboot and the passive member assume the active position. Run the following CLI command on both firewalls:
    > show high-availability state
     or check the GUI: Dashboard: High Availability, illustrated below. 
 
2016-08-31_ha4.jpg
HA status showing Suspended (User requested)

At the bottom of the WebGUI, it also will show the current status:
Capture4.JPG
 
  1. When the second device has been rebooted it comes back as "Active", Now the suspended firewall can be put in functional state using  the following CLI command:
    > request high-availability state functional
    Or inside of the GUI:  Device > High Availability > Operational Commands - click on Make local device functional
    2016-08-31_ha5.png
Option to make device functional in the WebGUI.

Both devices have now been rebooted and failover functionality has been confirmed.


Note: If the preemptive option is selected, the device with the higher priority (lower number value 0-255) will take over as active and potentially cause an unwanted failover. Please be prepared for this to happen, unless you disable and commit the preemptive option on both firewall members. You can start by rebooting either firewall, but keep this note in mind. The passive member is not currently passing any traffic; therefore, it may be more convenient to reboot this first.

The option is located under  GUI: Device > High Availability >  General > Election Settings as seen below.

Capture5.JPG



Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhKCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language