12-05-2022 10:25 AM
I'll be darned if I can find any documentation that speaks to if/how interfaces are configured to fail closed if there's a system or interface issue.
Does anyone have a URL that talks to this?
12-05-2022 08:40 PM
could you please provide more details about scenario of failure? Without knowing details of your question, my general reply would be as below:
- If you mean a support for "bump in the wire" where interfaces will support hardware relay to allow flowing of traffic in the case of hardware failure, then this is not supported with Palo Alto, so default is fail close.
- Best practice is to build an HA pair to fail over in the case interface or system goes down. If an interface goes down and interface tracking is enabled under HA, the other Firewall in the HA pair will take it over. If entire system goes down, then based oh heartbeat failover will take place.
12-06-2022 03:18 PM
From the last few cases I posted to TAC regarding this, there is no documentation. So to satisfy the auditors, I create a TAC case with the question. Then use the TAC case number and their response as the artifact/documentation.
The gov auditors accept this answer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!