Understanding Preemption with the Configured Device Priority in HA Active/Passive Mode

Printer Friendly Page

Overview

When two Palo Alto Networks firewalls are deployed in an active/passive cluster, it is mandatory to configure the device priority. The device priority decides which firewall will preferably take the active role and which firewall will take over the passive role when both the firewalls boot up to become functional for the first time. However, there is an option called "Preemption" which influences this behavior on the event of it being enabled or disabled.

Details

When the Palo Alto Networks firewall cluster (Primary and Secondary) boots up for the first time, the device with a higher priority (lower numerical value) will take up the active role and the device with a lower priority (higher numerical value) will take up the passive role, in spite of the Preemption option being enabled or disabled. See the diagram below:

1.png

With Preemption Enabled

The Preemption option must be enabled on both Palo Alto Networks firewalls, as shown in the diagrams below.

  1. If the primary firewall fails, then the secondary firewall will take the active role and start to forward the traffic.
    2.png
  2. When the primary firewall comes up, it will immediately resume the active role as it is the device with the higher priority (lower numerical value).

3.png

With Preemption Disabled

  1. If the primary firewall fails, the secondary firewall will take the active role and start to forward the traffic.

    4.png
  2. When the primary firewall comes up, it will not resume the active role even though it has a higher priority setting. The device which is currently in the active role will remain the active firewall. In this case, the secondary firewall will resume the active role.

5.png


The device priority and the Preemption is configured under Device > High Availability > General > Election Settings, as shown below:


8.JPG

Summary

  • During the first boot, the lowest value (higher priority) will become active
  • During the first boot, the highest value (lower priority) will become passive
  • When Preemption is enabled, when the device reboots then the device with lowest value will become active
  • When Preemption is disabled, when the device reboots then the the device, which was active earlier, will resume the active role in spite of the configured priority

owner: dantony

Comments

What if one device has a priority of 0 and other has a priority of 100? Does the device with lower 0 priority participate in HA election?

Hello Ashwin,

Must say, a very smart question :smileyhappy: Yes! it will still participate in the HA election, any values between 0 to 255 will be applicable.

Hi,

Is there a way to enable/disable preemptive from the CLI? 

The cli formate is:

set deviceconfig high-availability group 1 election-option preemptive yes

You need to adjust the group number to match the cluster configuration

Preemption is not a setting that is synchronized between HA peers, so it would be interesting to have you describe the behaviors in different scenarios that would be observed if preemption is incorrectly configured (enabled in one device and disabled in another). It would make this article complete.

 

To be specific, in my example, preemption is enabled in both devices, but the one with higher priority (lower numerical value) is in a failure state (it will crash after a few minutes of booting up). I want to know if disabling Preemptive in the Active device that currently has lower priority (higher numerical value) would prevent the Active role to be given to the failing device upon boot up.

I feel like I should share my expereince related to HA preemption since it caused me some grief. 

 

Keep in mind that this whole article is written with repect to how firewalls will behave on bootup. If both firewalls are fully booted up, but not yet connected with HA links, the failover and premption will behave a bit differently from what is described in this article.

 

In my case, I had two firewalls that were not connected with HA, and both were fully booted up and running.  One firewall was active and passing traffic, the other was new.  I had both firewalls preemption disabled.  When I connected the new firewall with HA to the active, the new firewall assumed active because its priority was higher (lower number).  This was undesireable in my case.  

Just know that a disabled premption doesn't mean an active firewall will stay active.