Enable palo alto preempt or not?

Reply
L2 Linker

Enable palo alto preempt or not?

Hi. 

I was just wondering what most of you people do regarding preempt option for A/P clusters. 

(and perhaps also some pointers regarding the different timers you can set, etc )

 

Main reasonis that the discussion to use preempt or not to use preempt comes up once and a while with customers and with coworkers. 

so what are some of you guys' findings on the feature. 

so far I have:

preempt is great if you have a not fully symetrical setup( eg the internet line has lesser bandwidth on location b, or not all servers are redundantly setup, etc)

 

a con that get mentions ( but not yet heard anyone having issues with) is the possibility of flapping due to ongoing issues at the main site as you have no control over the failback action. it's automatic

 

A pro argument for not using preempt I hear a lot is that people/it admins want to control everything and want to know when they fail back( preferably do it manually) and don't want the firewall to do this automatically.

but I'm nor sure if in these times of automation, scripting, etc that is actually a valid point. 
(I'm also fairly certain a lot of these admins if they manage more then 20 firewalls in panorama like this there will probably be a few running on the secondary node because they haven't noticed yet.)

 

 

As you may have guessed I'm currently all for enabling preempt on our firewalls. 

main reason being: our setup is largely symetrical. however a few exceptional cases in our DC aren't duplicated in our secondary dc. 

I also know we don't have the human resources to check the firewalls each time and log cases/resolve firewalls that failed over to our secondary dc. 
however it never hurts to also get other's opinion/experiences. 


 

so who's pro/con and why basically?

 

Tags (2)
L7 Applicator

Re: Enable palo alto preempt or not?

@TommieVanHove,

As you've already mentioned the pros of utilizing preempt essentially come in when you are in a degraded state on your secondary cluster member. This could be because it's a longer path for the majority of your traffic, the connection speeds are different, you have single-homed devices running off of one firewall, or simply because you want all the logs on one firewall if you are only utilizing local logging.

Apart from the above, there is little benefit of actually enabling preempt and failing the connection back to the primary unit in most enviroments, other than knowing you are working on the 'active' firewall instead of the passive firewall. If you utilize Panorama or better yet a SIEM to collect all your logs in a singular location, and all of your links are exactly the same it doesn't really matter if your firewall fails over to your secondary node or not, so in that case preempt only really has the risk of flapping between units without any benefit. 

 

I manage some environments where I leave preempt enabled for one reason or another, usually due to geographical disparity and pathing issues, and some environments were it isn't enabled because it would litterally give me 0 benefit. You just have to make the decission on a case-by-case basis with the complete knowledge of the environment you are functioning in. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!