I would like to know if our environment using 2 x PAN and formed HA. The control link and data link connected to switches as our office over 3 floors in the same building. If the switch failure, how did the PAN response? Will they are not able to fail over?
If both HA1 AND HA2 links fail, both devices will detect that the other device has failed and they will both go Active. This is typically not a desirable behavior because you may have issues with IP conflict, routing, etc.
A couple of ways to minimize this risk:
(1) Use cables and not switches... Chance of cable failure is much smaller.
(2) Connect HA1 to switches that have some redundancy capabilities. HA1 is responsible for the management side of things and also heartbeat connectivity.
(3) Maybe there's a way to leverage link or path monitoring in your HA environment. Link and path monitoring will essentially monitor links on your firewall or paths (IP addresses outside the firewall) and if these links fail, then the firewall will put himself in a non-active state.
Just some thoughts!
Another idea is running fiber for your HA1 and HA2 ports. Not sure what boxes you have, but if the distance is too great and you have fiber, this works nicely also. Just connect two fiber ports, configure PANOS to use those ports as HA1 and HA2, and you're all set. No worry about what happens if a switch goes down!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!