Is Graceful shutdown a good idea to invoke Failover ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is Graceful shutdown a good idea to invoke Failover ?

L1 Bithead

Hello,

 

Next to a project that I have to acheive in some days, i've been searching for a answer to my questions that I haven't found.
That why I try here now and I hope you will be able to assist me 🙂

 

Due to a UPS maintenance, I will have to unplug our two Palo Alto from power. We have two Power Domain, so one PA is on a PD and the other one is on another PD. 

I would like to be the cleanest possible to provoke the failover from the Active PA (that I will have to unplug from power) to the other PA that will stay in service during this time. I've been thinking that making a Graceful shutdown of the Active PA before unplugging it from power can be a good idea.

 

My question(s) :

- Is the graceful shutdown a good idea ?

- Will the passive unit take the lead when I will make the graceful shutdown executed on the active ?

 

In advance many thanks and feel free to tell me if i'm not clear.
Have a nice day !
Franck

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

Hi Franck

 

A gracefull shutdown will certainly work, especially if you're going to need to power down anyway. Alternatively you can suspend the active device

admin@myNGFW> request high-availability state suspend 

In both cases the passive unit will assume the active role (do a quick 'show session all' on the passive unit to ensure it is properly receiving session information from the active peer)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

Hi Franck

 

I guess your situation leans closely to the PAN-OS upgrade process for which there is a best practices : https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

 

similar steps, using the suspend method

 

 

what physically happens when the active device is suspended or shut down:

- the active should already have synced it's ctive sessions over to the passive device so it can continue processing existing sessions

- the passive device brings its interfaces online

- once interfaces are up, sends out a gratuitous ARP to inform all neighbours it is now in charge of the MAC addresses associated with your cluster

- neighbours start sending all packets to passive device

- passive device starts creating new sessions for all SYN packets received, continues processing packets for existing sessions

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi Franck

 

A gracefull shutdown will certainly work, especially if you're going to need to power down anyway. Alternatively you can suspend the active device

admin@myNGFW> request high-availability state suspend 

In both cases the passive unit will assume the active role (do a quick 'show session all' on the passive unit to ensure it is properly receiving session information from the active peer)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Wow, that was quick, thanks you 🙂

 

Ok so now I feel more safe, also thanks you for your alternative.
A very last question : Is there a best practice regarding my kind of operation ? (To have the smoothier experience possible and the less disruption time possible)

Or what we talk is already sufficient ?

Thanks again for your quickness and good afternoon !

Hi Franck

 

I guess your situation leans closely to the PAN-OS upgrade process for which there is a best practices : https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

 

similar steps, using the suspend method

 

 

what physically happens when the active device is suspended or shut down:

- the active should already have synced it's ctive sessions over to the passive device so it can continue processing existing sessions

- the passive device brings its interfaces online

- once interfaces are up, sends out a gratuitous ARP to inform all neighbours it is now in charge of the MAC addresses associated with your cluster

- neighbours start sending all packets to passive device

- passive device starts creating new sessions for all SYN packets received, continues processing packets for existing sessions

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Perfect ! Thanks a lot again reaper !

If you have GUI access and prefer to use it the same command via CLI is also in the GUI

 

 

HA_Command.JPG

  • 2 accepted solutions
  • 4134 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!