HA Active/Passive Best Practices

• Palo Alto Firewall.
• PAN-OS 8.1 and above.
• Active / Passive High Availability (HA) Configuration

Connecting HA1 and HA2 – Active/Passive

• Use dedicated HA interfaces on the platforms.
• If the firewalls are in the same site/location. Connect HA1 and HA2 links back to back. This helps in convergence.
• Always connect backup links for HA1 and HA2
• HA2 interface should be of higher bandwidth than HA1.
• Recommend HA Heartbeat backup.

Configuring HA settings - Passive Link Settings

HA timers

HA to act on Network Failures – Link and Path Monitoring

• Enable both Link and path monitoring.
• Link Monitoring  - Monitor all important links for which you need a failover to happen when the link goes down..
• Path Monitoring -  Monitor more than one path (prefix). Just do not depend on one path.

Networking– Best Practices

• Graceful Restart (GR) is enabled by default on BGP and OSPF. GR functionality should be enabled on the neighboring routers as well for it to work.
• GR helps maintain the forwarding tables during switchover and does not flush them out. This is a way faster mechanism than depending on the routing protocol to converge.
• If Aggregate Ethernet interfaces (Port Channels) with LACP are used then enable LACP pre-negotiation feature to speed up convergence + passive link state to auto.
• The LACP pre-negotiation feature helps by sending LACP messages out on the passive FW port-channel and bring the AE link up beforehand to help in fast failover.