Palo Alto EDU-110: Active/Passive High Availability

Objectives:

Describe the differences between active/active and active/passive high availability

Define the prerequisites for creating a high availability pair

Describe the metrics used to detect a firewall failure

Configure the firewall interfaces used for heartbeats and hellos

Configure a high availability pair

Firewall High Availability Overview

High availability is remains a concern for mission critical networks. Palo Alto firewalls can be used as a high availability pair. When firewalls are set up in this pair, they provide redundancy and help business continuity.

If one firewalls fails for any reason, the other firewall can take over with minimal loss of service.

Palo Alto firewalls support both active/passive and active/active high availability configurations.

Both firwalls will synchronise their network, object, and policy configurations plus session information.

Note that only changes that have been comitted are shared between the firewalls.

Some information is not shared that is firewall sepcific, this is management interface IP address, high availability specific configuration, log data, and the application command center.

To get a consoliated view of applications and logs across a high availability pair, Panorama must be used.

Active/Passive High Availability

One firewall manages traffic whilst the other synchronised and ready to move to an active state if a failure occurs.

In this mode, the firewalls will both share the same configuration settings, and one will actively manage traffic until a failure occurs.

If an active firewall fails, the passive firewall will transition to an active state and takes over seamlessy enforcing the same policies to maintain network security.

In an active/passive setup, session capacity or network throughput is not increased.

Active/Passive high availability is supported in virtual wire, layer 2, and layer 3 deployments.

Active passive high availability has the simplicity of design, meaning any troubleshooting is easier.

Active/Active High Availability

In an active/active high availability deployment, both firewalls in the pair are active and processing traffic.

Both firewalls maintain their own session and routing tables, plus synchronise to each other.

The active/active configuration is designed to support environments that require asymmetric routing.

Active/active high avilability does not increase the session capacity or network throughput. Active/active high availability is supported in virtual wire and layer 3 deployments.

Active/active mode requires advanced design concepts, and can result in more complicated networks.

Depending on how the active/active high availability is implemented, it might require additonal configuration such as dynamic routing protocols on both firewalls, replication of NAT pools, and deployment of floating IP addresses to provide seamless failover.

Both firewalls in the active/active configuration process traffic, so firewalls will use the additional concepts of session owner and session setup to perform layer 7 content inspection.

Active/active mode is recommended if each firewall needsi tso wen routing instances, and if full real time redundancy is required out of both firewalls at all times.

Active/active will have faster failover and can handle peak traffic flows better than active/passive mode since both firewalls are processing traffic.

Note the PA-200 series firewall supports only high availability lite without synchronisation capability and can not be configured for active/active high availability.

The VM-Series firewall in Amazon Web Services only supports active/passive high availability

High Availability Prerequisities

Before high availability can be enabled on the Palo Alto firewall pair, both firewalls need to be the same hardware model.

The PAN-OS version must be the same, except when there is a temporary version mismatch during a software upgrade.

The Palo Alto firewall pair must also have up to date application, url, and threat databases.

A high availability interface type must be configured, and the firewall correctly licenced.

The firewall must also have a matching slot configuration (applies to multi-slot firewalls)

Specific requirements on VM-Series firewalls is that the firewall must use the same hypervisor, and the number of CPU cores requires to be the same.

Active/Passive High Availability Links

The high availability control link is used to exchange hellos, heartbeats and high availability state information.

The control link is also used to synchronise routing and User-ID information between mangement planes.

The active firewall also uses this link to synchronise configuration changes with it’s peer firewall.

The firewalls exchange hello messages messages and heartbeats at configurable interviews to verify the peer firewall is responsive and operational.

Hello messages are sent from one peer to the other to verify the state of the firewall.

The heartbeat is an ICMP ping sent to the high availability peer. A response from the peer indicated that the firewall is connected and responsive.

The control link is a layer 3 that requires an IP address.

The data link layer is a layer 2 link but can be configured as a layer 3 link that requires an IP address. The layer 3 link is only required if the data links are not on the same subnet. In layer 2 mode, the data link type uses ethertype 0x7261

The data link is used to synchronise sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in the high availability pair. Data flow on the data link is unidirectional and flows from the active firewall to the passive firewall.

Dedicated and Non-Dedicated High Availabilty Ports

Some of the Palo Alto firewall range have high availability ports, and others require the management or in-band ports to be used as high availbility links.

The control link provides synchronisation for functions that are part of the management plane.

Using the dedicated HA1 port or the management port as the control link is more efficient than using the data planes in-band ports as the synchronisation packets need to pass from the data from the data plane to the management plane is not required.

The dedicated HA1 port requires an IP address that is different from the managment interface address. With devices with the dedicated ports, an ethernet cable can directly connect the dedicated HA1 ports and the dedicated HA2 ports to the device pair.

For firewalls without a dedicated high availability port, the best practice is to use the management port for the control link to allow a direct connection to be formed between management planes on the firewall.

Any in-band port can be used for the data link. Any in-band port that is used for a Control or Data link must be configured as the interface type HA.

Firewalls with dedicated HA ports are:

  • PA-800
  • PA-3000
  • PA-3200
  • PA-5000
  • PA-7000

Firewalls without a dedicated high availability port:

  • PA-200 and PA-500 Series
  • VM Series

High Availability Backup Links

Backup links provide redundancy for control and the data links.a

The purpose of configuring a bkacup control link is to avoid a split brain scenario.

Split brain operation occurs when a non redundant control link goes down, which causes the managment plane to miss heartbearts, although both firewalls are still functioning.

In this situation, the passive firewall concludes that the active firewall is down and attempts to start services that are already running on the active firewall, causing a split brain operation.

Dedicated and redundant management plane control links connections can help prevent split brain.

In band ports are used as backup links for dedicated HA1 and HA2 ports. The following needs to be considered when configuring these ports:

  • The IP address of the primary and backup HA links must not overlap
  • HA backup links must be on a different subnet from the primary HA links
  • HA1 backup ports and HA2 backup ports must be configured on physically seperate ports

PA-7000 Series HA Links

High availabiltiy on the PA-7000 series mandates the use of specific ports on the switch management card.

The HA1-A port is the control link. This port connects directly to the HA1-A port on the second firewall in the pair, or connected together through a switch or router.

The control link cannot be configured on NPC data ports or the MGT port.

The HA1-B port is the backup control link. This port connects directly to the HA1-B port on the second firewall in the pair, or through a switch/router. The backup control link also can not be configured on NCP data ports or the MGMT port

The high speed chassis interconnect, or HCSI, is used as the HA Data link and backup data link. Each HCSI port is a quad port SFP+ interface. Each HCSI port has four 10GB links internally for a combined speed of 40GB.

The HSCI ports are not routable and must be connected directly to each other. The HCSI-A on the first chassis connects directly to the HSCI-A on the second chassis, and so on.

Once fully connected, the connectivity will provide full 80Gbps transfers rate. In software the four HSCI-A ports are treated as a single HA inteface, this goes the same for the four HSCI-B ports.

If in the rare isntance the distance between the high availability pairs exceeds the maximum distance of the HSCI interface, in band ports can instead be used for data link connections.

Designating an Active Firewall

The firewall in a high availability pair will be a ssigned a device priority to indicate a preference for which firewall should assume the active role.

If a designated firewall in a HA pair needs to be made the active firewall, the pre-emptive behavior on both devices and a priority should be assigned.

The fireewall with the lower priority value is designated as the active firewall. The other firewall is designated as the passive firewall.

By default, pre-emption is disabled. When enabled the firewall with lower priority can resume as the active firewall when it recovers from whatever event stopped it working.

If pre-emption is disabled, this can give an administrator a chance to check why a firewall failed before bringing it back into service.

Failure Detection

The firewall can use several monitored metrics to detect a failure.

The firewall uses hello messages and heartbeats to verify that the peer firewall is responsive and operating.

Hello messages are sent from one peer to the other at the configured hello interval to verify the state of the other f irewall.

The heartbeat is an ICMP ping to the high availability peer over the Control link, and the peer responds to the ping to establish that the firewalls are connected and responsive.

Firewalls can be configured to monitor the link states of the physical interfaces. A firewall can be configured to trigger a failure if any or all the monitored interfaces in the group fail. The default behavior for monitored groups of ports is to failover if any port in the group fails.

The firewall can be configured to monitor mission critical IP addresse via ICMP pings to test reachability. Again a group can be defined to list the IP addresses that require to be monitored.

An IP address is deemed unreachable if ten pings fail by default, the failover settings can be set to fail the firewall if any or all the IP addresses become unreachable. Similar to interfaces, the default behavior is failover if any of the IP addresses fail.

The PA-3000, PA-5000, and PA-7000 series firewalls can also force a failvoer if an internal system health check fails. The health check is not configurable and is enabled to monitor critical components such as the field programmable gate arrays and CPUs.

General health checks can also cause a failover on any platform.

The failover will also occur if the firewall is suspended, or if pre-emption occurs.

HA Timer Profiles

High Availability timer profiles define the parameters associated with detecting failures and triggering failover.

Complexity can be reduced with configuring seven different high availability timers by selecting different profiles. The Advanced profile gives access and control to each of the seven different timers

The recommended profile is used for typical failover times, whilst the aggressive profile is used for faster failover time settings.

Note these preset values can change in different PAN-OS releases

Heartbeat Backup on the Management Port

Enablement of heartbeat backup on the management port can help prevent split brain operations, as redundant heartbeats and hello messages are transmitted over the management port on the management plane.

As heartbeat is an ICMP ping, the management port if configured for heartbeat backup must have pings enabled on the management interface.

Active/Passive High Availability Startup

The firewall remaisn in the INITIAL state after boot-up until it discovers a peer and negotiation begins. After a 60 second time out, the firewall becomes ACTIVE if HA negotiation has not started.

The ACTIVE state is the normal traffic-handling state of the active firewall in an active/passive configuration.

The PASSIVE state is the normal state of the passive firewall in an active/passive configuration. The passive firewall is synchronising flow state, run-time objects, and configuration.

If passive link state is configured, the passive firewall is running, the passive firewall is running routing protocols, monitoring link and path state. The passive firewall pre-negotitates LACP and LLDP if LACP and LLDP pre-negotiation are configured. The firewall does not process any other types of traffic.

A firewall in the SUSPENDED state cannot participate in the election process and become either active or passive. To suspend a firewall, click Device -> High Availability -> Operational Comamnds and click the Suspend local device link.

To re-active the firewall, click Make local device functional link.

The NON-FUNCTIONAL state is an error state due to a data-plane failure or configuration mismatch.

Firewall StateDescription
INITIALTransient state of a firewall until it joins the HA pair. The firewall will remain in this state after boot-up until it discovers a peer and negotiations begin.
ACTIVENormal traffic handling state
PASSIVENormal traffic is discarded, might process LLDP and LACP traffic
SUSPENDEDAdministratively disabled
NON-FUNCTIONALError state

Monitor Firewall States

The state of the individual firewalls in a high availability pair can be monitored from the Dashboard tab of the web interface. There is colour coded display about the major components of high availability, these states are green for good, yellow for passive, and red for critical.

Synchronisation of the firewalls must be initiated manually the first time a firewall pair is connected.

This is required to prevent administrators accidently setting the wrong firewall as active and overwriting the configuration they wish to push to the peer.

Even though Sync to Peer is available on the passive device, it should only be ran from the active device or the current configuration on the active device may overwritten with an earlier out of date configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *