Session Ownership in Active/Active HA scenario

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Session Ownership in Active/Active HA scenario

L1 Bithead

Hi There,

 

I will be greatful if anyone can please help me to understand the below which is taken from  https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/high-availability/session-owner.html

 

 

"You configure the session owner of sessions to be either the firewall that receives the First Packet of a new session from the end host or the firewall that is in active-primary state (the Primary device). If Primary device is configured, but the firewall that receives the first packet is not in active-primary state, the firewall forwards the packet to the peer firewall (the session owner) over the HA3 link.
The session owner performs all Layer 7 processing, such as App-ID, Content-ID, and threat scanning for the session. The session owner also generates all traffic logs for the session.
If the session owner fails, the peer firewall becomes the session owner. The existing sessions fail over to the functioning firewall and no Layer 7 processing is available for those sessions. When a firewall recovers from a failure, by default, all sessions it owned before the failure revert back to that original firewall; Layer 7 processing does not resume."
 
Doubt -
1. If we configure one of the primary firewall as session owner which means as per the above stated content, the secondary firewall will pass the packet to session owner all the time, in that case what exactly secondary firewall is doing?
 
2. when the session owner failover happens, Is that existing sessions from the previous session owner will pass to the new one but layer 7 processing will not happen? I am not getting the point "Layer 7 processing does not resume"
 
Sorry in advance if you find this question silly.
 
Ta,
2 REPLIES 2

Cyber Elite
Cyber Elite

1. in that case the secondary firewall acts as a 'dumb' gateway: it will send and receive packets but all decisions are made on the active-primary. If the primary were to fail it will start inspecting again

 

2. Because the 'other' (primary) firewall was doing all the inspection, when there is a failover the secondary firewall will be able to resume the sessions because it is aware of the session table, but it cannot resume scanning as it is not aware of the scanning process while the session is being scanned remotely and cannot be 'started' mid-session

 

not silly questions, important considerations when weighing A/A vs A/P

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for this topic and reply.  It now makes sense that in a failover event, the single active firewall will not create new sessions on the dead firewalls NAT tables bound by Group ID.  This is because once it hands them back, L7 filtering would be unavailable on any sessions created during the failover event.

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-web-interface-help/policies/policies-nat/nat-act...

 

  • 4452 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!