I have a pair of PA3220 firewalls in my environment. I configured Active/Passive for High Availability and I configured Link Monitoring condition to trigger the failover. However I'm still not clearly understand the behavior of PA HA.
I configured a Link Monitoring Group on both Firewall as below
- Name INSIDE
- Condition ANY
+ Interfaces E1/1
+ Interfaces E1/2
I tried to disconnect the E1/1 on PA01 and the failover triggerd(active on PA02). Then I disconnected the ports E1/1 and E1/2 on PA02. The active state still on the PA02 even the port E1/1 on PA01 UP. I'm not sure, does PA compare the link status between HA?
Where are the e1 and e2 interfaces in your diagram. Also are all 4 of those devices firewalls? Just trying to get the bigger picture.
Have you combined both interfaces in the same group ( as the group will carry the same 'weight' if one interface is down or all of them)
in your scenario, I think you'll need to create 2 groups: each with 1 interface
Can you elaborate the scenario again as it seems very confusing. Ideally this should not happen . Please re-check configuration and priority on PA02 link interface , priority difference could be the reason for this.
You can also check HA logs to get the exact reason for this behavior of PA-HA.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!