How does link monitoring work in High Availability ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How does link monitoring work in High Availability ?

L0 Member

Hi All,

 

I am working on the following HA design -

 

(Vendor - PAN) 40 Gig PRD Firewalls Topology (1).jpg

 

 

 

As you can see above, each firewall will have two interfaces connected to Juniper routers on the inside and outside zones. The firewall peers will also be directly connected to each other for the HA links. 

 

The plan is to use Active/Passive deployment and I am trying to figure out if this design can be achieved without any Layer 2 switches.  The main question I have is around exchange of hello messages and link monitoring. How do the firewall peers exchnage these messages if there is no L2 switch in the topolocy? Is that done over HA links?

 

Would this design not work due to the missing L2 switch?

1 accepted solution

Accepted Solutions

All exchanges of information between HA members if via the HA links.

 

The tests are run on the firewall connected to the link under test.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

5 REPLIES 5

L7 Applicator

Link monitoring and path monitoring are about watching the connection status between the PA and the connected device.  This is not about monitoring the status of the HA pair. This does not matter what the connected device is.

 

So when you configure link monitoring you are watching for the link status between the PA and the other device going link down.  

 

Path monitoring is using the selected link to run the ping test and can detect failures upstream of the actual link failure.  The link can be link up but not able to reach the internet for example because of failures beyond the link itself.  But this is testing the path to the rest of the network or upstream and not the HA status of the two devices.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thans Steve. But how is the PAN firewa exchanging the link status information? Are they running any tests across those interfaces or do they simply exchange the link up/down status over the HA links?

All exchanges of information between HA members if via the HA links.

 

The tests are run on the firewall connected to the link under test.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi. i have this issue:
i have in my PA active firewall several interfaces within link monitoring. i want to know which is the normal behavior if i config the same links on the passive firewall. my real question is: Do I must to configure the same link monitoring on both firewalls or just i need to configure this on the active firewall
i am so confused, your help and comments will be very apreciated
T iA

Hi,

 

Configuring it on the active device should be OK as this will be replicated to the standby device.

 

Thanks

  • 1 accepted solution
  • 6518 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!