Excuse me for my ignorance. We had firewalls Palo literally thrown at us, and instantaneously put into production (not great!).
I have a pair of Palo's in HA Active/Passive with preemptive enabled on active/primary. These are in turn, patched to an INET switch (internet handed off via a single ethernet patch cable to this switch).
We have HA (device > ha > link and path monitoring) configured for the link and path monitoring:
Now say the active firewall detects a link failure interface (bear in mind this is an interface that is on the same switch as the secondary). The passive firewall takes over until the primary is ready to preempt over. We are right here.
Now the same scenario but this time, there is a path link failure. Now, let's say something has happened upstream, say the ISP router went down. No pings to say public IP addresses 22.214.171.124 and 126.96.36.199, so no internet at all and thus the primary firewall will detect path link failure as per HA. The secondary will take over.
In the scenario mentioned before, not sure what happens:
To make it more confusing, Palo's are connected to ACI. We are wondering if the internet is unavailable for both firewalls, could both firewalls shut down all internal-zone-based-interfaces so that ACI could detect a failure on the aggregate links to active and passive? In this case, ACI would proceed to remove the static quad route to the firewall pair and insert another route so traffic is routed elsewhere. ACI is tracking IPs external IPs via the Palo to determine failure.
Perhaps I am overthinking this and lost in my mind. Appreciate in any sources, knowledge and clarification you all can provide.
Excuse me again for my ignorance.
Thank you kindly,
So i am assuming you have enabled preempt on active firewall Then:
@mr_almeida well crafted description of your scenario!
At the end of the day there are many layers to an HA configuration meant to provide physical system (FW) resiliency within your environment... the HA configuration is specific to each FW in the HA pair and with the exception of FW specific IPs must match timer/other settings, a couple things to consider:
- HA Preempt
Configure this only if you are comfortable with the fact that the problem that caused the HA fail-over to occur is or doesn't have the potential to be intermittent as that could cause bouncing of the HA pair unnecessarily... general rule of thumb is to NOT enable HA Preempt so that you can control when to fail-back, if desired, after resolving whatever issue caused the initial fail-over.
- HA Link Monitoring
This is the best first step in enhancing your HA configuration as you want to control, via Link Groups, the fail-over behavior at the physical layer where you have a failed interface/cable. In this case, if there is an interface/cable issue with the directly connected L2 switch then this configuration will help fail-over appropriately... don't forget to include all your traffic bearing/forwarding links... 😉
- HA Path Monitoring
If you only have one logical path out, in this case a single upstream ISP router/link, then Path Monitoring thru that will not be very fruitful and lead to the scenario described by @lrangra so probably not worth configuring. If you have multiple downstream (internal) paths then you could investigate setting up Path Monitoring for those.
Couple good links if need be:
First off no need to excuse yourself. Your scenario was well written and very common. The others that replied via what happens in HA fail over are correct. Here are some things I have done in the past.
I'm sure others can provide additional thoughts as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!