Path Monitoring question?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Path Monitoring question?

L4 Transporter

Hi folks,

 

Preparing for my HA configuration this weekend.  🙂

 

I have a question about creating a Path monitoring group on the Passive device.

 

While I go through the procedures to configure HA on the Active device, I plan to set a Path monitoring group for our virtual router named SDTSS.  

 

When I go through the same procedures on my Passive device (already reset to default, apply licensing, etc), I should not expect to see SDTSS as a selection in my Path monitor group creation, correct?  

Would have to finish configuring and sync for created Virtual Router configs to come over to Passive device before I could configure a Path monitoring group for a virtual router (beyond default)?

 

Thanks

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Yeah until you have config syncronized over you don't have custom virtual router there in the list.

 

Few options.

Rename default router to SDTSS and prepare Path monitoring.

Configure Path monitoring in Web interface after HA is set up.

Identify config change when you configure Path Monitoring on active device, copy those set commands out and paste them into secondary device when HA is set up.

 

Way to get full config in set commands:
> set cli config-output-format set
> configure
# show

 

Edit: Definitely use at least 2 different destinations in Path Monitoring. If you don't want your firewalls to flap then don't expect that 8.8.8.8 gives you SLA and is always up 🙂

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Yeah until you have config syncronized over you don't have custom virtual router there in the list.

 

Few options.

Rename default router to SDTSS and prepare Path monitoring.

Configure Path monitoring in Web interface after HA is set up.

Identify config change when you configure Path Monitoring on active device, copy those set commands out and paste them into secondary device when HA is set up.

 

Way to get full config in set commands:
> set cli config-output-format set
> configure
# show

 

Edit: Definitely use at least 2 different destinations in Path Monitoring. If you don't want your firewalls to flap then don't expect that 8.8.8.8 gives you SLA and is always up 🙂

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thank you!

 

I will likely try for a successful sync first.

 

I wonder how much Link/Path monitoring matters on a Passive device if the other is set to Preemptive and should switch back to it when comes back online?

 

 

Passive will not do any path monitoring as it's interfaces are not enabled.

Passive uses same MAC addresses as active so it can't have interface up.

I suggest to set "Passive Link State" to auto. Default is Shut down.

Auto will bring passive firewall up faster as switch ports are already aware of device connected to those ports.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 2367 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!