04-30-2024 05:12 AM
hello
I have 2 x 440 series to configure for HA active/standby
I plan to use ethernet 1/5 , 6 , 7 & 8 for the Data & Control links
I have connected the interfaces to test
when I select interfaces under "HA Communications" only the management interface is available in dropdown -- the other ethernet interfaces are not available as an option
Q has anyone seen this issue before ?
04-30-2024 05:30 AM
Hello,
Under the interface itself do you have the interface type selected as "HA"?
04-30-2024 06:58 AM
thank you -- I have enabled & the interfaces are available for selection
I see on the dashboard the running-config is not in sync & I do not see an option for synchronising configurations
Any idea why the firewalls will not sync running config ?
04-30-2024 11:56 AM
Check the firewall system logs and see if it provides a reason for why HA sync failed, what youre looking for will probably be classified as a critical severity. CLI command to sync configs is
request high-availability sync-to-remote running-config
05-01-2024 05:28 AM
thank you -- the configurations have synchronised without any input from me
it might have been a time delay issue
I have been testing failover -- the Active & Standby have a connection to the LAN on eth1/4 IP 10.123.123.249 /24
I can ping this IP Address from the LAN with the Active eth 1/4 connected
when I disconnect eth1/4 on the primary -- the Standby firewall stays in standby mode & I cannot ping until I fail the Active
Q can I use path monitor or similar to protect against individual interface failure ?
thank you again for all your help
I have connectivity to
05-01-2024 05:43 AM
The data interfaces will be in a standby state on the passive firewall and wont be active until a failover event in triggered. For example, you can set link monitoring to fail over in the event that eth 1/4 goes down, that would then put that firewall in a passive state and promote the other one to active.
This can be configured under Device > High Availability > Link and Path Monitoring. Here you'll be able to set things to your needs such as a single interface failing, maybe a group of interfaces failing. Set path monitoring, for example I can no longer ping 8.8.8.8 and 1.1.1.1, then fail over. HA Link and Path Monitoring (paloaltonetworks.com)
If you wanted to protect against a single interface failure but still keep that device as active and not fail over your could look at creating an aggregate interface. Configure an Aggregate Interface Group (paloaltonetworks.com)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
