Hi Gang, Excuse me for my ignorance. We had firewalls Palo literally thrown at us, and instantaneously put into production (not great!). I have a pair of Palo's in HA Active/Passive with preemptive enabled on active/primary. These are in turn, patched to an INET switch (internet handed off via a single ethernet patch cable to this switch). We have HA (device > ha > link and path monitoring) configured for the link and path monitoring: Link group: Failure = any Link group = all interfaces Path monitoring: Failure = any path group = virtual router path with internal and external destination IPs, at 500ms interval and 5 ping count. Now say the active firewall detects a link failure interface (bear in mind this is an interface that is on the same switch as the secondary). The passive firewall takes over until the primary is ready to preempt over. We are right here. Now the same scenario but this time, there is a path link failure. Now, let's say something has happened upstream, say the ISP router went down. No pings to say public IP addresses 8.8.8.8 and 8.8.4.4, so no internet at all and thus the primary firewall will detect path link failure as per HA. The secondary will take over. In the scenario mentioned before, not sure what happens: The primary firewall, it will be passive waiting to preempt when links are back, though secondary has no internet either, so what happens here? The secondary it takes over thought what happens here too (I haven't configured link and path monitoring yet on the passive firewall - should I do so)? Both firewalls are sitting there with no path to the internet. What happens here? What happens with flapping in this case and not hard path link failure to both firewalls. Do I bother with virtual router path monitoring or rely on HA monitoring? To make it more confusing, Palo's are connected to ACI. We are wondering if the internet is unavailable for both firewalls, could both firewalls shut down all internal-zone-based-interfaces so that ACI could detect a failure on the aggregate links to active and passive? In this case, ACI would proceed to remove the static quad route to the firewall pair and insert another route so traffic is routed elsewhere. ACI is tracking IPs external IPs via the Palo to determine failure. Perhaps I am overthinking this and lost in my mind. Appreciate in any sources, knowledge and clarification you all can provide. Excuse me again for my ignorance. Thank you kindly, Dan
... View more