thank you for your reply.
The information that the passive member does not do path monitoring was very valuable to me.
I totally agree with your recommendation.
In my real scenario, I have an additional connection between F1 and R2, so i'm think about putting more priority on F1,
for it will always be my active firewall.
Instead I'm thinking about not having a path-monitoring on the routers at all, because I can't see any value in this any more.
To answer my own question from the beginning:
F2 was the active partner,
when the interconnection between S1 und S2 goes down,
F2 sees the path to R1 down and sees itself as "failed"?
Now F1, which didn't do path monitoring becomes active (is healthy, has all links, sees that F2 reports itself as "failed", doesn't do path-monitoring already...)?
Now it does tracking to R1 and R2... But as the interconnection between S1 and S2 is down, it cannot reach R2.
So after some time it will marks itself as "failed"?
F2 is still in "failed"... so there's no failover back to F2, right?
Now the PBF tracker will find that R1 is available and F1 will forward traffic through it?
Is the answer,
"yes, it will actually failover, but already when the interconnection between the switches goes down"?
Thank you for helping me to understand.
... View more
sorry, if I missed something obvious... but I need your help, because I have no lab environment where I could answer my question by just testing....
I have two PA-200 with HA Lite.
Both have an outside interface connected to a switch:
Firewall F1 with switch S1, Firewall F2 with switch S2.
S1 and S2 have an interconnection.
Now there are two routers (with internet uplinks) connected to the switches, on each side:
Router R1 witch to S1, Router R2 to S2.
The default internet uplink is via R2.
There's a PBF configured that in case R2 is not reachable, the default route goes via R1.
There's link monitoring on the FW-interfaces connected to the switches.
There's path monitoring to both of the Routers.
Taken F2 is the active partner,
Taken the interconnection between S1 und S2 goes down:
Active and passive firewall would not see any change in link monitoring.
The passive partner would report that the path to R2 has failed and the device would change to "failed" state (?)
The active firewall would see that path to R1 went down and also change to "failed" state (?)
But as F1 which sees F2 in "failed" now, is in "failed" itself, I don't think a failover would occur...
Now R2 also goes down...
IMHO, F2 is failing a little more, because it has lost the path to R2 _and_ R1.
If a failover would happen now, the PBF-Tracker would report that the backup-route is available and could forward traffic via R1.
How are failover decissions done? Is there documentation?
Would my HA pair failover to F1?
Thank you for your help!
... View more
I have created a CSR:
request certificate generate country-code DE days-till-expiry 1100 email NOC@DOMAIN.COM locality BERLIN signed-by external organization MYORG ip 184.108.40.206 algorithm RSA rsa-nbits 2048 certificate-name testcert name test.domain.de
Looks fine and I can also see it in the WUI.
Now I would like to export it via SSH:
scp export certificate certificate-name testcert format pem include-key no to email@example.com:/cert_test.csr
but I get
Server error : Failed to prepare certificate testcert for export
This works fine for already existing certificates... but not for a CSR...
What am I doing wrong?
Any help appreciated. Thank you!
... View more