Summary:
Mode choices:
-
Active/standby
-
Active/active: not recommended to use this unless you have asymmetric routing issue
(Asymmetric routing issue: the traffic goes out from one path but return traffic comes back from a different path)
HA Links:
-
HA1 (Control link): hello message, heart beats, HA state info, user ID info, configuration sync
-
HA2 (Data link): session info; forwarding tables; IPSec SAs; ARP
-
3rd interface for Active Active!!!!
Triggers
-
Heartbeats (icmp ping b/w 2 fws control link - HA1) + Hello Messages
-
Link monitoring: monitor a group of interfaces on the firewalls
-
Path monitoring: you set a ping to a specific destination, if we don’t get echo reply back then it triggers failover
Pre-reqs
-
Same model
-
Same PanOS/Version
-
Same Interface (you can borrow mgmt interface for control link)
-
Licenses
Configs on the secondary firewall:
-
You need to configure the HA interface on the 2nd fw
-
Mimic the HA settings from primary fw (i.e. enabling HA, choose HA2 interface, Device priority)