Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

High Availability - Interfaces Passive Firewall are power off (down)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

High Availability - Interfaces Passive Firewall are power off (down)

Not applicable

Hi,

I have a firewll PA-3050 version 5.0.11 and the High Availability cluster is configured Active / Passive mode. The interfaces to backup firewall are powered off and I tried switch the configuration in Active / Passive to auto instead shutdown, but the interfaces still powered off .

Can you help me ? How I can power on the interfaces in backup firewall  ?

best regards,

Paulo Roberto Aun

6 REPLIES 6

L3 Networker

Hi Paulo_Aun

Is the firewall configured for Layer2 or Vwire? Review doc Passive Device Interfaces Down in Auto Passive Link State

L7 Applicator

When a cluster is Active/Passive the passive node interfaces do not pass any traffic.  This is by design to prevent creating any layer 2 loops from any alternate paths created by having two devices serve the same traffic.  Since the Active/Passive design is that only one firewall at a time is processing sessions, this generally does not create an issue.

If you network design requires that traffic pass on the inactive node, then you will need to implement an Active/Active cluster.  This is the case if you need dynamic routing protocols to traverse the inactive device or if you have multiple network paths setup by design and want the cluster to handle asymmetrical routing.

It sounds like your network design method might require an Active/Active cluster deploy.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Steven even not passing traffic, how do I get the interfaces stay connected? Is there any way?

I am not sure if this is normal or not as all my clusters run Active/Active and I have not had time to lab up an active/passive one.

Can you test failover to see if it successfully shifts to the passive device?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Found the documentation for the link status in Active/Passive HA and this is a normal operation.  The passive device interfaces can be link down when not in operation.

What is the Difference Between Auto and Shutdown Mode for Passive Link?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L3 Networker

PA-850 firewalls when in Active/Passive with passive link state mode as "auto". All the interfaces on the passive device are down until a failover happens. During failover, passive takes over as active and all its interfaces are up and start forwarding traffic.

  • 18032 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!