topic HA clarification with a single ISP in General Topics

HA clarification with a single ISP

mr_almeida — Fri, 24 Jan 2020 10:22:23 GMT

Hi Gang,

Excuse me for my ignorance. We had firewalls Palo literally thrown at us, and instantaneously put into production (not great!).

I have a pair of Palo's in HA Active/Passive with preemptive enabled on active/primary. These are in turn, patched to an INET switch (internet handed off via a single ethernet patch cable to this switch).

We have HA (device > ha > link and path monitoring) configured for the link and path monitoring:

Link group:
- Failure = any
- Link group = all interfaces
Path monitoring:
- Failure = any
- path group = virtual router path with internal and external destination IPs, at 500ms interval and 5 ping count.

Now say the active firewall detects a link failure interface (bear in mind this is an interface that is on the same switch as the secondary). The passive firewall takes over until the primary is ready to preempt over. We are right here.

Now the same scenario but this time, there is a path link failure. Now, let's say something has happened upstream, say the ISP router went down. No pings to say public IP addresses 8.8.8.8 and 8.8.4.4, so no internet at all and thus the primary firewall will detect path link failure as per HA. The secondary will take over.

In the scenario mentioned before, not sure what happens:

The primary firewall, it will be passive waiting to preempt when links are back, though secondary has no internet either, so what happens here?
The secondary it takes over thought what happens here too (I haven't configured link and path monitoring yet on the passive firewall - should I do so)?
Both firewalls are sitting there with no path to the internet. What happens here?
What happens with flapping in this case and not hard path link failure to both firewalls.
Do I bother with virtual router path monitoring or rely on HA monitoring?

To make it more confusing, Palo's are connected to ACI. We are wondering if the internet is unavailable for both firewalls, could both firewalls shut down all internal-zone-based-interfaces so that ACI could detect a failure on the aggregate links to active and passive? In this case, ACI would proceed to remove the static quad route to the firewall pair and insert another route so traffic is routed elsewhere. ACI is tracking IPs external IPs via the Palo to determine failure.

Perhaps I am overthinking this and lost in my mind. Appreciate in any sources, knowledge and clarification you all can provide.

Excuse me again for my ignorance.

Thank you kindly,

Dan

Re: HA clarification with a single ISP

lrangra — Fri, 24 Jan 2020 16:53:18 GMT

So i am assuming you have enabled preempt on active firewall Then:

The primary firewall, it will be passive waiting to preempt when links are back, though secondary has no internet either, so what happens here? So The secondary will take over as Active and there will be outage as it doesn't have a way out to internet.
The secondary it takes over thought what happens here too (I haven't configured link and path monitoring yet on the passive firewall - should I do so)?till the time you dont have a readability from the second firewall there is no point in configuring ( you can do that by introducing a l2 switch in between internet router and both of the firewalls.
Both firewalls are sitting there with no path to the internet. What happens here? If both the firewalls have path monitoring configured then they will play the Game of HA Dance(bouncing between each other)
What happens with flapping in this case and not hard path link failure to both firewalls. Same as above
Do I bother with virtual router path monitoring or rely on HA monitoring?We use VR path mointoring when we have 2 routes to a destination and we want to remove one when it goes down.in your case IFF you have 2 default routes out for internet (fro 2 ISP) then u can use that.

Re: HA clarification with a single ISP

ddelcourt — Fri, 24 Jan 2020 18:24:27 GMT

@mr_almeida well crafted description of your scenario!

At the end of the day there are many layers to an HA configuration meant to provide physical system (FW) resiliency within your environment... the HA configuration is specific to each FW in the HA pair and with the exception of FW specific IPs must match timer/other settings, a couple things to consider:

- HA Preempt

Configure this only if you are comfortable with the fact that the problem that caused the HA fail-over to occur is or doesn't have the potential to be intermittent as that could cause bouncing of the HA pair unnecessarily... general rule of thumb is to NOT enable HA Preempt so that you can control when to fail-back, if desired, after resolving whatever issue caused the initial fail-over.

- HA Link Monitoring

This is the best first step in enhancing your HA configuration as you want to control, via Link Groups, the fail-over behavior at the physical layer where you have a failed interface/cable. In this case, if there is an interface/cable issue with the directly connected L2 switch then this configuration will help fail-over appropriately... don't forget to include all your traffic bearing/forwarding links... 😉

- HA Path Monitoring

If you only have one logical path out, in this case a single upstream ISP router/link, then Path Monitoring thru that will not be very fruitful and lead to the scenario described by @lrangra so probably not worth configuring. If you have multiple downstream (internal) paths then you could investigate setting up Path Monitoring for those.

Couple good links if need be:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/ha-concepts.html

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGNCA0

hth!

Re: HA clarification with a single ISP

OtakarKlier — Fri, 24 Jan 2020 18:32:21 GMT

Hello,

First off no need to excuse yourself. Your scenario was well written and very common. The others that replied via what happens in HA fail over are correct. Here are some things I have done in the past.

Get a second line from the same ISP with an agreement that only one will be used at a time, usually a small cost
- then get rid of the switch (single point of failure) and plug it into the passive firewall
Get a second ISP that is relative inexpensive as backup and plug it into either the one switch (single point of failure) or directly into the passive firewall. Obviously if you are hosing sites, etc. this one wont work.
Disable path monitoring. Both firewalls will be down anyway so need for a fail over. (just my opinion)

I'm sure others can provide additional thoughts as well.

Cheers!