topic Re: Issue in HA link monitoring in General Topics

Issue in HA link monitoring

Joshan_Lakhani — Tue, 06 Apr 2021 16:40:17 GMT

Hi,

ISP Primary>>Fortigate Active >> Paloalt Active

ISP Standby >>Fortigate Passive >> Paloalto Passive

we have ISP is connected with FortiGate Active Firewall and FortiGate which is directly connected with Paloalto Active Firewall same as ISP standby is connected with Fortigate Passive Firewall which directly connected with Paloalto Passive firewall.

As we have configured the link monitoring between Paloalto and fortigate. For any reason, if FortiGate is not working then it’s shifts their traffic from FortiGate active to FortiGate passive firewall and also shifts their traffic Paloalto active firewall to Paloalto passive firewall.

Now our query is that if we make forcefully do the FortiGate active to the passive firewall. Will the Paloalto firewall changes their state from active to passive or not.

Re: Issue in HA link monitoring

nikoolayy1 — Wed, 07 Apr 2021 09:58:00 GMT

If the palo Alto path monitoring is to a floating/VRRP etc. IP address on the fortigate (or the ip address on something else after the fortigate) and you make so that this ip is only reachable by the path monitoring using routing and security only when the fortigate next to the palo alto is active. In other words the path monitoring icmp probes should only work on left active palo alto firewall, when the fortigate on the left is also active.

Re: Issue in HA link monitoring

Joshan_Lakhani — Wed, 07 Apr 2021 11:23:03 GMT

@nikoolayy1

My question is that if i forcefully change the state fortigate active firewall to passive firewall.Did paloalto will change there status automatically from active to passive or not.

Re: Issue in HA link monitoring

nikoolayy1 — Wed, 07 Apr 2021 11:38:06 GMT

This is not a specific Palo Alto question as it depends if you have set up the path monitoring IP correctly and the routing and security but that is the idea of path monitoring to switch between firewalls being active or passive:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-high-availability/ha-link-and-path-monitoring.html

Re: Issue in HA link monitoring

Joshan_Lakhani — Thu, 08 Apr 2021 05:06:47 GMT

@nikoolayy1

Thank for your message.

In case the path monitoring is configured with the PA IP of the port which is connected to FG as source and 8.8.8.8 as destination , when FG become slave the PA connected port to FG will not be able to reach the 8.8.8.8 and then the PA become slave .

Can that be done with Path monitoring ? if yes please suggest

Re: Issue in HA link monitoring

nikoolayy1 — Thu, 08 Apr 2021 10:05:12 GMT

It sounds good if the passive fortigate blocks the traffic to (8.8.8.8) as I am not fortigate expert but be carefull even when the connected fortigate to palo alto becomes passive if there is dunamic routing and so on it is possible the icmp health monitor probes to go from Palo Alto firewall to the other fortigate that is active and the palo alto will not failover.

If the path is as in the picture and for the active palo alto to reach 8.8.8.8 when the fortigate that is on top of it failovers then the active firewall will send the icmp to the standby palo alto firewall and it will be discarded and the path monitoring failover will work.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcACAS

You only need to make certain that there are no other network paths that you have noshow in the provided picture for the palo Alto firewall icmp probes.

Re: Issue in HA link monitoring

OtakarKlier — Thu, 08 Apr 2021 21:34:09 GMT

Hello,

Just curious as to why you have two firewalls in line like this? I know it was a practice back in the day. However with a properly licensed and configured Palo Alto, you dont need this.

Regards,