Recover from Split Brain PAN OS 8.0.6 (PA3020)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Recover from Split Brain PAN OS 8.0.6 (PA3020)

L1 Bithead

Hi Community,

 

i have two PA3020 in an A/P HA deployment.

The cluster is virtualized with 2 VSYS - one for comany A and one for company B.

Between the companies, the coreswitches are linked with 20GBit. (a kind of dark fibre - 500 meters)

 

The 3020 HA setup manages both companies. VLANs for both companies are configured on both cores to ensure a clean failover.

For now, there isnt a backup network path between both companies/firewalls.

 

If the link between the companies will fail (for example because of contruction works) both HA members will become active because there is no way to exchange HA packets (Control and Data).

(I read all the documents regarding HA deployment on this site)

 

So here is my question:

 

For us, it is critical that both HA members will be active (split brain), because firewall A has to handle traffic from company A and firewall B hast to handle traffic for company B until the HA links recover.

Will this work like I suggest?

 

And the next question:

 

When recovering from split brain (wich we need to force), which device will sync its log entries to the other or are both logentries  will be brought togehter (wich would be the perfect thing).

 

Are there any other concerns about recovering from split brain?

 

Is the split datapath option in HA needed, although it is pointed out only to use in A/A deployments.

(The option would be available in A/P deployment)

 

---

 

This setup has to work for about 7 month until we get our redundant datapath...

 

It would be amazing if someone can help me with this setup. I think I'm at 80% but those last question i cant find anywhere.

 

best regards

 

Toni

2 accepted solutions

Accepted Solutions

L7 Applicator

Hi @itserviceHEWA

 


@itserviceHEWAwrote:

So here is my question:

 

For us, it is critical that both HA members will be active (split brain), because firewall A has to handle traffic from company A and firewall B hast to handle traffic for company B until the HA links recover.

Will this work like I suggest?

 


 

Yes, this will work as you suggested. As long both firewalls know nothing about the other they both assume that they have to be "active" and handle traffic.

 


@itserviceHEWAwrote:

And the next question:

 

When recovering from split brain (wich we need to force), which device will sync its log entries to the other or are both logentries  will be brought togehter (wich would be the perfect thing).


 

The logs aren't synched at all. For such a situation you would need addfitional servers to store the logs. An option would be panorama. During the split-brain you only have the logs from one firewall (in case of one panorama), but after the split-brain the firewall that lost connection to panorama will send all the missing logs to panorama. Syslog servers are also an option but then you would need at least 2 syslog servers and something that has the intelligence to keep then in sync after the split-brain. So probably panorama is the easier solution.

 


@itserviceHEWAwrote:

Are there any other concerns about recovering from split brain?

 

Is the split datapath option in HA needed, although it is pointed out only to use in A/A deployments.

(The option would be available in A/P deployment)


 

In your situation you don't need to worry about this option. As I wrote, as long as the firewalls don't see each other both will automatically become active. But when recovering from solit-brain some connections might need to be reestablished - probably the ones on the firewall that becomes passive after the split-brain.

 

Regards,

Remo

View solution in original post

5 REPLIES 5

L7 Applicator

Hi @itserviceHEWA

 


@itserviceHEWAwrote:

So here is my question:

 

For us, it is critical that both HA members will be active (split brain), because firewall A has to handle traffic from company A and firewall B hast to handle traffic for company B until the HA links recover.

Will this work like I suggest?

 


 

Yes, this will work as you suggested. As long both firewalls know nothing about the other they both assume that they have to be "active" and handle traffic.

 


@itserviceHEWAwrote:

And the next question:

 

When recovering from split brain (wich we need to force), which device will sync its log entries to the other or are both logentries  will be brought togehter (wich would be the perfect thing).


 

The logs aren't synched at all. For such a situation you would need addfitional servers to store the logs. An option would be panorama. During the split-brain you only have the logs from one firewall (in case of one panorama), but after the split-brain the firewall that lost connection to panorama will send all the missing logs to panorama. Syslog servers are also an option but then you would need at least 2 syslog servers and something that has the intelligence to keep then in sync after the split-brain. So probably panorama is the easier solution.

 


@itserviceHEWAwrote:

Are there any other concerns about recovering from split brain?

 

Is the split datapath option in HA needed, although it is pointed out only to use in A/A deployments.

(The option would be available in A/P deployment)


 

In your situation you don't need to worry about this option. As I wrote, as long as the firewalls don't see each other both will automatically become active. But when recovering from solit-brain some connections might need to be reestablished - probably the ones on the firewall that becomes passive after the split-brain.

 

Regards,

Remo

Hi @Remo,

 

thanks for your very professional help in my case. Your answers give us a brilliant statement to our questions!

 

As we are planing to roll out about 10 smaller PA firewalls to smaller connected business units, panorama is also a milestone in our conecept.

So your suggested loghandling will be now another point in the concept - many thanks for this!

 

There is nothing more to say except another thanks for this very fast help! It solved all the other problems I counterd the last days.

 

Best regards

 

Toni

 

#Remo4president

Hello @itserviceHEWA,

Another thing to look at when recovering would be Device Priority. Make one a bit higher so you'll know it will win when they come up.

 

image.png

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/ha-concepts/device...

 

Just a bit more info for you.

 

Good luck!

Hello,

Found this after I posted, its a better article I think.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Understanding-Preemption-with-the-Configured-...

 

Cheers!

Hi @OtakarKlier,

 

thank you very much for the document! This one i didnt find in my research but represents a perfect overview for the preemption.

I updated our concept with those informations - perfect!

It also is a keypoint to us to control the reoveryprocess.

 

Thanks for this!!!

 

Cheers,

 

Toni

 

  • 2 accepted solutions
  • 3401 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!