High Availability - HA Heartbeat Backup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Audit
Last Reviewed: 09-15-2023 12:55 AM
Audited By: kiwi
L4 Transporter
50% helpful (1/2)

High Availability - HA Heartbeat Backup

 

 

If HA1 and HA1-backup are configured with data plane ports then Heartbeat backup is needed. If Management port is used as HA1 bkup then Heartbeat backup is not needed.

 

For additional resources regarding BPA, visit our LIVEcommunity BPA tool page.
View videos regarding BPA Network best practice checks.
View videos regarding BPA Policies best practice checks.
View videos regarding BPA Objects best practice checks.
View videos regarding BPA Device best practice checks.
You may also view other BPA video playlist on the LIVEcommunity YouTube channel.
Rate this article:
Comments
L0 Member

Why, though? What's the reason that using management ports for a Control Link makes Heartbeat Backup not needed, or put another way, why does not using a management ports for a Control Link make Heartbeat Backup advantageous or necessary?

L2 Linker

@ChrisSutton Great question Chris. 

The reason for this is in the event the interface used for HA1 goes down there's an alternate interface (management backup) to send heartbeats and keep HA stable. Think of the scenario where you have a layer 2 switch connected in between two active/passive members and the switch loses power, HA1 would go down and you would have a split brain scenario for HA.
In summary, it's for increasing HA stability depending on how your network is setup.
Please feel free to read more about it on the High Availability documentation. 
L2 Linker

What is the result if Heartbeat Backup is enabled AND Management port is used as HA1 backup?

L0 Member

Does anyone know if I am able to see the same status information I see on the HA Widget for the 'Heartbeat backup' up or down, via the cli as a show HA .... ... status command of some sort? I am not finding it via # show high-availability all or # show high-availability state.

I need to be able to find this information in a large batch of firewalls for an audit. Thanks.

L0 Member

I agree with Chris but to put his question another way:

  • Why are HA1A and HA1B Ports Data Plane ports in the first place? If their purpose is configuration synchronisation and high-avaliability control which are fairly low end tasks why not have them controlled via the Management Plane (and hence the Management CPU) in the first place?
  • Are AUX-1 and AUX-2 ports also Data Plane Ports?
  • What's the reasoning behind having all these ports in the Data Plane and then having an optional feature called Heartbeat Backup that ends up having the part of the same process occur over a Management Plane port? And if the Mgmt port is the only Management plane port you can use for HA why is this feature optional? What would be the situation or justification for turning it off? Or is the only reason it is optional is because on some platforms there is no dedicated HA1 ports therefore the MGMT port is often used for HA1 and it is unnecessary to also have Heartbeat Backup enabled?
  • If using the Mgmt port for HA works well and never causes issues why have these dedicated HA1 ports at all and if it doesn't work well then why even support HA on platforms without the HA1 ports? Wouldn't it just be easier to have Heartbeat backup enabled on by default and let the software determine if Mgmt port is being used for HA1 or HA1 Backup (simple configuration check) and if it is silently disable Heartbeat backup automatically? Are we simply giving the user unnecessary choice and then blaming them for making the wrong choice?

Hi @ChrisSutton , @kevin-john ,

 

Heartbeat BackupUses the management ports on the HA firewalls to provide a backup path for heartbeat and hello messages. The management port IP address will be shared with the HA peer through the HA1 control link. No additional configuration is required.

 

If you configure your HA1 to use management interface.

Astardzhiev_0-1673885229243.png

It doesn't make any sense to configure the same management interface for backup, right? That is why if you do that (select management for HA1 and enable "Heartbeat backup"), you will receive commit warning.

 

Q: Why are HA1A and HA1B Ports Data Plane ports in the first place?

A: It depends on the device you are using. Smaller devices does not have any dedicated HA interfaces (no HA1 nor HA2/hsci), for example PA-400 series, or PA-220. So if you plan to use HA on those devices, you will need to/must reserve dataplane interface for HA1 and HA2.

 

Q: What's the reasoning behind having all these ports in the Data Plane and then having an optional feature called Heartbeat Backup that ends up having the part of the same process occur over a Management Plane port?

A: As mentioned above "Heartbeat Backup" will use the dedicated management interface as backup path for HA heartbeats and hello packets (I am not sure if config sync is performed in this case, compared to using HA1-B)

 

 

Q: If using the Mgmt port for HA works well and never causes issues why have these dedicated HA1 ports at all and if it doesn't work well then why even support HA on platforms without the HA1 ports?

A: Dedicated HA ports are supported only on bigger devices, those that are usually used in big campus or data center (PA-3200, 5200 and above). In most of these case the management for the two peers may be in totally different networks, which means if you use mgmt for control link you will pass over some additional layer2 and layer3 devices. It make sense to have such important traffic passing over as little as possible external devices, to guarantee stable connection and performance.

 

Q: Wouldn't it just be easier to have Heartbeat backup enabled on by default and let the software determine if Mgmt port is being used for HA1 or HA1 Backup (simple configuration check) and if it is silently disable Heartbeat backup automatically? 

A: There is such check, that is why if you apply such configuration you will receive commit warning, which let you know that heartbeat backup is ignored (which you would agree is the same as "automatically disabled"). But let me ask you - would you prefer to for the FW silently ignore the redundant configuration and leave you believe you have HA1 redundancy, you would you prefer to receive warning that you try to config HA1 backup over the same physical as the primary HA1 and you actually don't have redundancy, which could lead to split-brain?

 

Q: Are we simply giving the user unnecessary choice and then blaming them for making the wrong choice?

A: Absolutely not.

 

 

I would also strongly recommend you to check the following documentation, which also includes the Aux ports you mentioned - HA Ports on Palo Alto Networks Firewalls

  • 21169 Views
  • 6 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎07-13-2020 12:57 PM
Updated by: