Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-17-2013 11:19 AM
Hi all,
I have 2 simple questions:
Q1: proper procedure to physically move the standby firewall PA3020 connected to primary firewall within the same datacenter (need to power off and move)?
Q2: proper procedure to switch the primary to standby and standby to primary firewall?
Thanks a lot!!
Peter
09-17-2013 11:33 AM
1. If the cables are going to get disturbed then yes you should power off the device.
2. From GUI you and suspend the device and the passive will become active at that time. Unless you want passive to be suspended itself.
You can achieve this by going to Device ---> high availability
or you can do this from CLI
request high-availability state suspend
request high-availability state functional
Hope that helps.
Thanks
Numan
09-17-2013 01:17 PM
Thanks! Still not very clear:
Q1. I need to physically move the standby firewall, so should I:
a - suspend standby FW (optional?)
b - power off standby FW
c - move standby FW
d - power up standby FW
e - re-connect with primary firewall
f - unsuspend standby FW
My fear is that the standby firewall will become active if it believes the primary is down if the move is not executed properly: both active and secondary will be up.
09-17-2013 01:35 PM
Hi,
If you suspend the standby unit and power it down and move it and then power it back up it will become functional upon the reboot. If your Current Active unit has lower priority then the standby unit then the standby should come up as standby(Passive).
Thanks,
Syed R Hasnain
09-17-2013 01:53 PM
Not sure the last sentence? I thought if the active unit has lower priority, then the standby may take over as primary when it powers up if it has higher priority?
09-17-2013 02:07 PM
The unit with the lower priority will be active and the unit with the higher priority will be passive.
09-18-2013 08:08 AM
With preempt enabled on both the HA peers (option is under Ha election settings), the peer with the lowest device priority will always preempt to be the Active firewall.
Thanks,
Aditi
09-19-2013 01:31 AM
Hi,
Just be sure to disable preempt (Device / HA / election settings) on both FW and then follow your procedure. When the moved fw will come up, he will re integrate the HA as backup then no issue.
Keep us in touch.
V.
09-19-2013 07:42 AM
My 2 firewalls in active-passive mode were pre-configured and they have the same priority numbers. Should I change them if I want to keep active-passive mode?
Thanks!
09-19-2013 08:46 AM
Hello,
It is recommended to configure different priorities on both the firewalls in order to maintain a healthy HA environment. Lower values will be higher in priority.
Example:
Firewall- A = priority 100
Firewall -B= priority 200
If you reboot both firewalls at the same time, firewall A will become active and B will become passive. Also it will help you with "preempt" option.
Thanks
09-19-2013 12:24 PM
If you are using the preemption feature on your HA. The firewall with the lower priority will always be active and the firewall with the higher priority will be passive. If for some reason your active device reboots or goes down the passive will take over but as soon as the active comes back up it will again become the master of the cluster(active). As mentioned above its a good practice to have different priorities on the active and passive unit.
Thanks,
Syed R Hasnain
09-21-2013 02:33 PM
You are afraid about split brain.
use backup for management with selecting Heartbeat backup.
I already did what you want to do without preemptive option.just manually flap, powered off the main device.After powering on manually switched the devices again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
