suspend both firewall

Showing results for 
Show  only  | Search instead for 
Did you mean: 

suspend both firewall

L4 Transporter

What would happen if you suspended both of your firewall in an active/passive HA configuration? Starting with suspending the passive firewall first and then the primary firewall.


L7 Applicator

two things....


1. helpdesk phones begin to melt..

2. start looking for a job at your local supermarket..



I like your answer it's very creative. So the flow stops passing through both PA's. I would have thought they would just no longer be in HA or maybe they would be in a split-brain state.

well i did have a little play on our test boxes after your post and I suppose the most logical explanation is that you are suspending the device, not the HA status. Albeit not the management interface.... and yes all interfaces were rouge..


Thanks for testing it for me, wish I had some test boxes are they hardware or virtual? I guess I won't be trying that on my real network since I don't like melting phones or slinging burgers.

they are hardware (3050's).



for the record....

we are currently running all of our boxes on 7.1.15, we tried an upgrade to 8 last year and had to roll back,

partly because of the early release of 8 that we were using, partly because I'm still struggling with some of the next generation stuff...

the company took the option to purchase 2 spares for testing the next upgrade to 8.07, also it's nice to have a hot standby as not all of our firewalls are HA. further down the line we have a new site to cope with so they will eventually be used for that...


off the record....

you know how it works when departments have asked for x ammount of money and don't spend it by the end of the year...





Your company must have access to way more money than we do LOL. I have be comtemplating upgrading to 8 during the summer break but the issues with xauth & the VPN are making me thing twice about it


Touching/expanding on what @Mick.Ball stated; when you suspend the firewall HA is no longer functional. 'Suspend' is referenced a lot like it's some kind of 'HA Failover' command, and it is in the sense that it will cause an HA failover. That being said, you bring the device to a non-functional device. Once a firewall is in the 'suspended' state, it can only be made functional manually. 

This is done so that any issue that would normally force the firewall to enter a 'suspended' state automatically, such as interface/path monitoring flaps, preemption issues, do not continue to cause flapping across the HA pair. When you 'suspend' your other HA unit you'll effectively be left without a functional device. 

If i suspended the primary firewall and doing restart the same primary firewall. post restart it will be in suspended state or functional state ?


Once you restart the device it will be in the default 'functional' state, not suspended. This is why the upgrade procedure says that you should disable preempt, as it would prevent the primary device from automatically re-taking the active state until you want it to do so.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!