https://live.paloaltonetworks.com/t5/general-topics/active-passive-cluster-link-amp-path-monitoring/m-p/352343#M87172 <P>Hi All,&nbsp;</P><P>&nbsp;</P><P>Referring my prior discussion Subject - "Firmware Updation A-P" , We have below configuration enabled on Link &amp; path monitoring configuration at this moment, have a look on screen shot.</P><P>&nbsp;</P><P>Will this be sufficient to trigger auto failover to Passive , if in case we can disconnect / disabled any of the directly connected interface from Active firewall Unit.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Link and Path Monitoring Screen Shot.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27959i926D1CC80C553B03/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Link and Path Monitoring Screen Shot.jpg" alt="Link and Path Monitoring Screen Shot.jpg" /></span></P><P>Thought to ask here to avoid any understanding gap.</P> Sat, 26 Sep 2020 05:32:58 GMT Jimmy20 2020-09-26T05:32:58Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-cluster-link-amp-path-monitoring/m-p/352343#M87172 <P>Hi All,&nbsp;</P><P>&nbsp;</P><P>Referring my prior discussion Subject - "Firmware Updation A-P" , We have below configuration enabled on Link &amp; path monitoring configuration at this moment, have a look on screen shot.</P><P>&nbsp;</P><P>Will this be sufficient to trigger auto failover to Passive , if in case we can disconnect / disabled any of the directly connected interface from Active firewall Unit.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Link and Path Monitoring Screen Shot.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27959i926D1CC80C553B03/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Link and Path Monitoring Screen Shot.jpg" alt="Link and Path Monitoring Screen Shot.jpg" /></span></P><P>Thought to ask here to avoid any understanding gap.</P> Sat, 26 Sep 2020 05:32:58 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-cluster-link-amp-path-monitoring/m-p/352343#M87172 Jimmy20 2020-09-26T05:32:58Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-cluster-link-amp-path-monitoring/m-p/352390#M87177 <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/144686">@Jimmy20</a>&nbsp;</P> <P>&nbsp;</P> <P>You need to add the Ingress and Egress of the PA in the Link group.</P> <P>We have single link to ISP and Linkagg to switch with 2 ports.</P> <P>So in our case our Link group has 3 Interfaces and if anyone of those fails it will trigger the failover.</P> <P>&nbsp;</P> <P>Regards</P> Sun, 27 Sep 2020 01:57:03 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-cluster-link-amp-path-monitoring/m-p/352390#M87177 MP18 2020-09-27T01:57:03Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-cluster-link-amp-path-monitoring/m-p/352394#M87178 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/144686">@Jimmy20</a>&nbsp;,</P><P>&nbsp;</P><P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;briefly explained - no, your setup is not sufficient to trigger failover. You have two "components" - to define conditions for the failover and to tell the firewall to use these conditions for failover. From the image you provide you have enabled the link and path monitor, but you have not configured any conditions, no interface to monitor.&nbsp;</P><P>&nbsp;</P><P>It is good to mention the purpose of both link and path monitor. Link monitor will trigger failover if there is an issue with firewall interface, either if you disconnect it or there is no physical signal over the connected cable. Path monitor go beyond just looking at the physical state of your interfaces. With path monitor firewall will try to ping provided IP address trying to confirm that all three layers are up and running (imagine you have virtual fw, its interfaces way never go down, but there is not connectivity with its directly connected router, link monitor will not work here, but rather path monitor).</P><P>&nbsp;</P><P>Link Monitor gives you very granular control over the condition when to trigger failover. If you notice you need to configure "Link group" in which you can group the physical interfaces in your interest. You need to select group failure condition, this means how many of the interfaces in the group needs to be down to consider the whole group as down.&nbsp; You can have multiple groups, so that is why you have "global" failure condition where you need to tell how many of your groups needs to be marked as down to trigger failover. How to group your interfaces and how to select the group and global&nbsp; failure condition depends on your setup.&nbsp;</P><P>&nbsp;</P> Sun, 27 Sep 2020 07:46:34 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-cluster-link-amp-path-monitoring/m-p/352394#M87178 aleksandar.astardzhiev 2020-09-27T07:46:34Z