Hi, I have an active/passive HA setup and have link state monitoring enabled on my data interfaces, but I notice I can't select the management port for this. To my thinking, if I lose the management port I would want the cluster to fail over because it would no longer be able to log to Panorama, or to look up user IDs.
How would you recommend doing this? Is link path monitoring (using the management IP as the source) the only way?
Yes, one of the option you can do is enable path monitoring for the management ranges. Also note that the communication would still go through one of the data ports (probably trust interface). You can point to one of the IP in management range and ask firewall to failover if that is unreachable.
This is by design that management port is not an option under path monitoring. But your requirement can be a good feature request. You can contact your local sales / system engineer for feature request. Hope this helps. Thank you.
Thanks, I have done that. Just to be clear though, if the management port fails, the firewall will route the AD lookups and logs to panorama etc via the trust interface? It is L3 but I don't have any of the management services enabled and I don't presently have the trust address enabled on my panorama server as a valid source.
Your situation is a special instance, since your PAN FW connected to AD through MGMT interface. But, most of the time data-ports are used for transit traffic and management is for manage the device. That's the reason only data-ports are available for monitoring at this point of time, just to ensure the transit traffic is passing through the FW.
But, your point is 100% valid and i would request you to contact with your PAN SE to submit a Feature Request for the same.
No it will not failover user id or panorama functionality to trust interface once management port is down. From path monitoring you achieve failover if management ip ranges are unavailable (I haven't seen user using this approach though). Then the peer device's management will process those request normally.
You can use either data port (trust port) or management port from Panorama and user id functionality. If you use data port for user id and panorama, and if that data port interface goes down, a failover will trigger from link monitoring itself. It will depend on your requirement. I will still suggest management interface for this purpose as this will lower number of packets device has to process at dataplane side, thus reducing dp cpu. Hope this helps.
You can configure it at following location :
In above example I have requested firewall to user E1/5 which is my trust interface to use it for Panorama and User ID. Rest everything will still use management interface for other service.
You can configure it under Device -> Setup -> Services -> Service Route Configuration
Hope this helps. Thank you.
Ah right, well my one is a lot simpler than yours, it just shows "use management interface for all" which for me is probably the best choice anyway. As you say it keeps the data plane free for the data.
Thanks very much, this has been very helpful and I have emailed my SE with the request.
By the way I tested this and it does not work! I set the path monitoring to ping the gateway of the management interface's network and failed my management interface. The device did not fail over but it did crash!
So I logged a support ticket and the answer came back that it would have used any available path for the path monitoring. Unfortunately because it stayed active, my AD lookups stacked up and the useridd process crashed, the firewall wouldn't respond on the console and the only way out was to power it off.
So if you set the box up using the DEFAULT, to use the management port for service routes and your management port goes down...
Why has no-one else realised that a failure of the management port is the achilles heel of the HA?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!