high availability

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

high availability

L3 Networker

hello

I have 2 x 440 series to configure for HA active/standby

I plan to use ethernet 1/5 , 6  , 7 & 8 for the Data & Control links 

I have connected the interfaces to test 

when I select interfaces under "HA Communications" only the management interface is available in dropdown -- the other ethernet interfaces are not available as an option 

Q has anyone seen this issue before ?

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

 

Under the interface itself do you have the interface type selected as "HA"? 

Claw4609_0-1714480198866.png

 

thank you -- I have enabled & the interfaces are available for selection 

I see on the dashboard the running-config is not in sync & I do not see an option for synchronising configurations 

Any idea why the firewalls will not sync running config ?

Check the firewall system logs and see if it provides a reason for why HA sync failed, what youre looking for will probably be classified as a critical severity. CLI command to sync configs is 

request high-availability sync-to-remote running-config

 

thank you -- the configurations have synchronised without any input from me 

it might have been a time delay issue 

I have been testing failover -- the Active & Standby have a connection to the LAN  on eth1/4 IP  10.123.123.249 /24

I can ping this IP Address from the LAN with the Active eth 1/4 connected 

when I disconnect eth1/4 on the primary -- the Standby firewall stays in standby mode & I cannot ping until I fail the Active 

Q can I use path monitor or similar to protect against individual interface failure ?

thank you again for all your help 

I have connectivity to

Cyber Elite
Cyber Elite

 

The data interfaces will be in a standby state on the passive firewall and wont be active until a failover event in triggered. For example, you can set link monitoring to fail over in the event that eth 1/4 goes down, that would then put that firewall in a passive state and promote the other one to active.

 

This can be configured under Device > High Availability > Link and Path Monitoring. Here you'll be able to set things to your needs such as a single interface failing, maybe a group of interfaces failing. Set path monitoring, for example I can no longer ping 8.8.8.8 and 1.1.1.1, then fail over. HA Link and Path Monitoring (paloaltonetworks.com)

 

If you wanted to protect against a single interface failure but still keep that device as active and not fail over your could look at creating an aggregate interface. Configure an Aggregate Interface Group (paloaltonetworks.com)

  • 1290 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!