topic Re: Vsys + Failover config (Urgent!) in General Topics

Vsys + Failover config (Urgent!)

qasim02 — Tue, 11 Sep 2018 09:35:18 GMT

Hi,

I am very new to PaloAlto and currently trying to figure out the following:

1. is HA or Failover VSYS specific?

2. if so, how do I find failover/HA config per vsys?

3. How do I setup failover/HA per vsys?

the appliance i am using is PA-3020 software version 7.x.

I will really appreciate your help with this.

Kind regards,

Ali

Re: Vsys + Failover config (Urgent!)

Remo — Tue, 11 Sep 2018 10:13:06 GMT

Hi @qasim02

No, in general the HA failover is not vsys specific, which means in Active/Passive HA all vsys are active on one firewall and in case of a failover they all switch to the other device. With active/active mode you can configure "something" to distribute the vsys over the two devices but with the vsys specific failover it gets tricky.

You can find all the HA related information in the official documentation: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability

Btw: in case you are running PAN-OS 7.0.x you should upgrade to at least the latest 7.1.x release because 7.0 is end of life since December 4, 2017. The software end of life dates you can find here: https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary

Regards,

Remo

PS: What is the "urgent" for in the title? In case of urgent problems you may be should reach out to support (even though the answers in the live community are pretty fast 😉

Re: Vsys + Failover config (Urgent!)

qasim02 — Tue, 11 Sep 2018 10:39:49 GMT

thanks vsys_remo for your swift response.

Just one more question before I let you go. The reason I was asking my original question was that I have been told that currently one of the VSYS i.e VSYS4 is configured with "No Failover" and the task is to reconfigure it to "failover"

I had a brief look and here is my finding on the appliance:

vsys4(active)> show high-availability state

Group 16: abcdef
Mode: Active-Passive
Local Information:
Version: 1
Mode: Active-Passive
State: active (last 205 days)
Last non-functional state reason: Link down
Device Information:
Management IPv4 Address: x.x.x.x/24
Management IPv6 Address:
Mgmt HB Backup configured
Jumbo-Frames disabled; MTU 1500
HA1 Control Links Joint Configuration:
Encryption Enabled: no
Election Option Information:
Priority: 100
Preemptive: yes
Version Compatibility:
Software Version: Match
Application Content Compatibility: Match
Anti-Virus Compatibility: Match
Threat Content Compatibility: Match
VPN Client Software Compatibility: Match
Global Protect Client Software Compatibility: Match
State Synchronization: Complete; type: ethernet
Peer Information:
Connection status: up
Version: 1
Mode: Active-Passive
State: passive (last 205 days)
Last non-functional state reason: Link down
Device Information:
Management IPv4 Address: x.x.x.b/24
Management IPv6 Address:
Mgmt HB Backup Connection up
Jumbo-Frames disabled; MTU 1500
Connection up; Primary HA1 link
Connection up
Election Option Information:
Priority: 200
Preemptive: yes
Configuration Synchronization:
Enabled: yes
Running Configuration: synchronized

Do you this the statemen: configured with "no failover" is true? as form what you said it doesnt look like. if it is, then how I would configure it with failover.

@Remo wrote:
Hi @qasim02

No, in general the HA failover is not vsys specific, which means in Active/Passive HA all vsys are active on one firewall and in case of a failover they all switch to the other device. With active/active mode you can configure "something" to distribute the vsys over the two devices but with the vsys specific failover it gets tricky.
You can find all the HA related information in the official documentation: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability

Btw: in case you are running PAN-OS 7.0.x you should upgrade to at least the latest 7.1.x release because 7.0 is end of life since December 4, 2017. The software end of life dates you can find here: https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary

Regards,
Remo

PS: What is the "urgent" for in the title? In case of urgent problems you may be should reach out to support (even though the answers in the live community are pretty fast 😉

Re: Vsys + Failover config (Urgent!)

Remo — Tue, 11 Sep 2018 10:46:47 GMT

@qasim02

There isn't any "no failover" setting that you can set for a single vsys.

Re: Vsys + Failover config (Urgent!)

reaper — Tue, 11 Sep 2018 10:47:22 GMT

hi @qasim02

there is no 'no failover' settings for vsys in a HA environment

in A/P the entire chassis goes doen if there is a failover (so there is no way for a vsys to 'remain behind')

in A/A you could potentially set something up with dynamic routing that directs specific 'vsys' oriented traffic to either one of the peers, but this is still external to the vsys themselves

Re: Vsys + Failover config (Urgent!)

BPry — Tue, 11 Sep 2018 13:10:13 GMT

@qasim02,

Is it possible that whoever told you vsys4 is setup with 'no failover' was simply refering to Link/Path monitoring not being configured. For example vsys4 is assigned ethernet1/4 and you aren't actually monitoring that interface?

That's the only thing I can think of that they could have said "yup, vsys4 isn't configured for HA". It would be a really bad way of communicating that, but short of them having no idea what they're talking about that's the only solution I can come up with.

Re: Vsys + Failover config (Urgent!)

qasim02 — Thu, 13 Sep 2018 07:55:21 GMT

Thanks Bpry,

you were absolutely right as thats exactly what I discovered upon furthe rinvestigation.

now question is how I should go about enabling link/path monitoring for the interfaces assigned to this Vsys. I know I can find alot of documents online that says it all but nothing beats experience? could you kindly summarise the steps? and what do you think are the main things I should be looking out for?

Kind regards,

Ali

Re: Vsys + Failover config (Urgent!)

BPry — Thu, 13 Sep 2018 15:01:14 GMT

@qasim02,

Link and Path monitoring is pretty easy.

Link Monitoring

Generally I configure a Link Group for each Zone of the vsys, and set the Group Failure Condition to whatever makes the most sense. Do I have a single 10Gb connection to my Trust zone; but it in a Link Group and set the failure condition to any and assign that interface to the link group. If I have 4 interfaces assigned to an aggregate-group for my Datacenter zone I would assign all of those interfaces to a Link Group and would probably want to set the Group Failure Condition to all instead of any.

Path Group

I normally recommend that you monitor a couple hosts within any zone and setup the rules however you would want. Essentially what I'm using Path Group for is ensuring that I might still have a link state of Up, but I want to ensure that I don't have a break further along.