Next to a project that I have to acheive in some days, i've been searching for a answer to my questions that I haven't found.
That why I try here now and I hope you will be able to assist me :)
Due to a UPS maintenance, I will have to unplug our two Palo Alto from power. We have two Power Domain, so one PA is on a PD and the other one is on another PD.
I would like to be the cleanest possible to provoke the failover from the Active PA (that I will have to unplug from power) to the other PA that will stay in service during this time. I've been thinking that making a Graceful shutdown of the Active PA before unplugging it from power can be a good idea.
My question(s) :
- Is the graceful shutdown a good idea ?
- Will the passive unit take the lead when I will make the graceful shutdown executed on the active ?
In advance many thanks and feel free to tell me if i'm not clear.
Have a nice day !
Solved! Go to Solution.
A gracefull shutdown will certainly work, especially if you're going to need to power down anyway. Alternatively you can suspend the active device
admin@myNGFW> request high-availability state suspend
In both cases the passive unit will assume the active role (do a quick 'show session all' on the passive unit to ensure it is properly receiving session information from the active peer)
Wow, that was quick, thanks you :)
Ok so now I feel more safe, also thanks you for your alternative.
A very last question : Is there a best practice regarding my kind of operation ? (To have the smoothier experience possible and the less disruption time possible)
Or what we talk is already sufficient ?
Thanks again for your quickness and good afternoon !
I guess your situation leans closely to the PAN-OS upgrade process for which there is a best practices : https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045
similar steps, using the suspend method
what physically happens when the active device is suspended or shut down:
- the active should already have synced it's ctive sessions over to the passive device so it can continue processing existing sessions
- the passive device brings its interfaces online
- once interfaces are up, sends out a gratuitous ARP to inform all neighbours it is now in charge of the MAC addresses associated with your cluster
- neighbours start sending all packets to passive device
- passive device starts creating new sessions for all SYN packets received, continues processing packets for existing sessions
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!