Kritika Sharma
Epm# 7608
High Availability
Use
●
HA1 logs
Less mp-log ha_agent.log
To reduce dependency on single FW
Modes
Active -Active
Active - Passive
Link monitoring daemon
BRD-agent
HA1 Daemon -> HA-agent
HA2 Daemon - > PAN-DHA
Active (Management Plane/out of band ) - Passive (Data Plane /in
band port)
***Passive device is not participating in Traffic (ARP learning & packet
forwarding) nor responding on broadcast msg,Because of that switch
can’t lean MAC address of Passive FW******** until & unless GARP will
not triggered****
Non- monitoring Traffic :
PAN-OS upgrade / License
(This all part of
Management Plane)
​
​Election
setting
Lowest = Best
Default Priority : 100
Group Id : 1-63 must be same
on both FW
Active - Active – (Split Brain )
In every 20sec Passive FW send Hello msg/Raw
ping msg to active FW if 3 continuous msg are
respond delayed by active , passive FW declare it
self active and active still working as active
Dedicated Ports
800
3K/5K/7K
1.
Priority set -Less
Priority wins
2.
Less Mac address wins
3.
Small IP address wins
Hold time
Preemptive -After the failover
FW waiting for preemptive time
holder to become Active again
Forcefully taking control back ,
should be mark on both
Promotion - When Passive peer
waiting before declaring herself
active
Pre-Requirement to be HA pair
1. Same PAN-OS version (9.0.0-Plug ins)
Maximum no of Flaps :
Active to non-functional : 3
2. Hardware - NA1 config
3. Plugins - H1, H2
4. Configuration
5. Licenses
HA2 responsible
Session sync- work on MAC no need to assign IP -PAN-DHA
daemon
It is taking all sessions from the active & landing towards the passive.
HA1 responsible
Syn control Plane need to assign IP Or on IP address
1.Heartbeats - Are Raw ping msg work on TCP port no 28769
(Passive to Active )
Flap is happening 3 time
conjunctively
Link Monitoring
Is related to Ethernets
Individual : Any
Group : All
Then Group will be preferred
Path monitoring
Is related to upstream and
downstream device with the
help of static route ping we can
check their status
HA1- TCP port no 28769 with HA-Agent Daemon for clear
text communication with peers.- we configured in clear
text
TCP use port no 28 for encrypted connection over SSH
(see below image)
Key exchange
HA1-backup - 28770 with work on heartbeats and hello
msg
HA1-back use heartbeats and hello msg
Who generates Heartbeats ?
Passive FW: in every 20sec heartbeats sent by passive to active.
(Router/switches)
Every 200ms msg trigger after
missed of 2 times failover will
occurs
If Active FW doesn't reply after 3 conjunctive pings msg , passive
declare it self Active
2.Hello Msg : (Active to Passive)
Is MD5# value of the Active FW’s Running configuration
HA-running-config.local.Xml (# value)
Passive compare previous # value with new if difference to config
sync
Passive FW Do state syn if previous MD5# the value is differ from the
current.
3.State Syn : (who is who)
A. Inti : staying for 60sec after bootup, for pair discovery &
negotiation waiting , device become active if negotiation (who
is active who is passive )haven't started
B. Active : Traffic handling operational state (Priority is less , IP
and MAc are shorter and less)
A. Passive : Normal Backup Sate , Traffic handling interface are
maintained under up/down depending upon the config.
Passive state will change if GARP Trigger
B. Tentative : due to analysis purpose we have marked FW under
this state
C. Suspended : 3 Flaps
Active-NoN-Functional-Passive-Active
Active-NoN-Functional-Passive-Active
Active-NoN-Functional-Passive-Active
Suspended
Switch off the HA pair and remove from the HA pair
D. Non-Functional : when any active FW is not working well due
to error
4. Config Syn : like Hello Msg
5. Compatibility exchange
Msg exchange called TLV msg
●
●
●
●
●
Same PAN-OS version (9.0.0-Plug ins)
Hardware
Plugins - H1, H2
Configuration
Licenses
# Imp
HA1 - & - HA1 backup should be on different networks
HA1-Backup & HA2- Backup– interface backup is optional
Syn to peer come when peera identify
Bses on HA1 we decided how is active and passive
●
●
●
●
Capability exchange
State syn (who is who)
Hello msg
1st config syn is manual
Question : I'm not able to see the config after done with configuration ?
Ans : This is the very 1st config syn
Initially both FW's are out of sync : A manually configuration syn needed to be done on both to bring the
firewall into a sync state and enable automated config sync
# Imp- Don’t get sync in HA
Device specify configuration
As we know passive firewall replicated active firewalls data - but ACC application command centers and log data
are not syn
# Imp -Failover cases
Case 1:
When active Firewall didn’t respond , Passive FW’s three continuous raw ping msgs - Failover occurs
Active/Passive heartbeats polling
Case 2:
When Management plane didn’t boot up properly , make cause of Failover occurs
****MP take decisions of Data Plane*****
Case 3:
When priority is changed
Seems like Failover but not
# Imp - Summary
Device-High Availability
How to we know HA2 is fail with help of keep-Alive
Failover occured when link monitoring is enable
1.
Any of FW interface is down it will occured
2.
Management to Management Plane HA1 goes down then if link monitoring was enabled then failover , If no
link monitoring then Split-Brain will happen , solution of Split brain is HA1 Backup.
3.
Active FW busy in Management plane work , Passive was waiting for heartbeats reply and 3 pings
continuous was missed then it will wait until promotion hold timer and declare it self Active
Management Plane of FW1 HA1 is refused to boot o Active FW
Why HA1 is down
if HA1 link is down and there is no configured HA1 backup link or if HA1 link is down and HA1 backup link is
configured but also down then stabilize your HA setup by suspending the "passive" firewall in A/P setup and the
"active secondary" in A/A setup to avoid "split brain" problem this can be done under Device > High Availability
> Operational Commands by clicking on "Suspend local device for high availability" then proceed with
troubleshooting HA1 link down.
Syn to peer only come when peer identify
Auto — > interface are up but in disable mode not participating in ARP learning & Forwarding
HA1 is Down : Reason
Peer IP need to check 2. Own IP need to check 3. HA Enable forgot to check 4. Group Id is not same 5. Mode
issue selected wrong
HA1 link is down — > what will next
Active suspend , Remove from Pair— Peer unknow —> Passive become Active (No link monitoring )---To
HA1 link is fine — >
Active FW due to business didn;t reply 3 continuous heartbeats —> Passive become Active and active still
Active —- Split Brain
HA2 Down
Session syn mismatch
suspend Can
suspend Active from CLI —- > Request HA suspend
Administrator —> Device HA→ Manually Suspend
3 Flaps A-NF-P-A A-NF-P-A A-NF-P-A
If an HA link is down trace the physical cable and troubleshoot Layer 1 using KB article
●
Normal FW divided into
●
Management plane (Config-login-reporting ) and Data plane
●
●
Data plane for interfaces & Traffic
●
HA-Agent
●
PAN-DHA
●
BRDagent link monitoring - link flapping
●
AuthD
●
RoutD (Management)- all possible route
●
Mp-Reply Best Rout twin demon with RoutD no sysd support for communication
●
IKE-Mgr IPsec Phase 1
●
TunnD IPsec Phase 2
●
SSLVN GP Demon
●
rcrvr
●
MServer
URL filtering
configuration Management
Active-Active
Both FW are using for monitoring purpose
Active Primary
Active secondary
Which part of Traffic Handle by Which FW we need to monitor - For That we use HA3
Session-ID was created by Primary active and now traffic was handing by secondary FW this type of Asymmetric
routing
Firewall constant disconnection from Panorama
1.
Check IP connectivity between the devices.
2.
Make sure port 3978 is open and available from the device to Panorama.
3.
Make sure that a certificate has been generated or installed on Panorama.
4.
Confirm the serial number configured in Panorama (case sensitive).
5.
If a permitted IP list is configured for the management interface, make sure that Panorama IP is allowed in the list. By
default, it will allow all IPs if a list is not specified.
6.
Make sure Panorama is on a version greater than or equal to that of the managed devices. Panorama can manage
devices running supported PAN-OS versions of the same or a lower release.
7.
Check MTU settings on the managed device, as the value may need to be reduced. If a device on the path is fragmenting
packets, communication from Managed Device to Panorama will not succeed. Check the MTU settings on intermediate
router as well.
8.
Verify that there is not a large time difference between the clock (Date/Time) on Panorama and the clock (Date/Time) on
the managed device.
Panorama
•
Panorama is a centralized management tool which is used to manage firewall configuration,
log management and reporting.
1.
Legacy mode
Only VM series Panorama can be configured in legacy mode.
Only one virtual disk is supported at a time.
52 GB System disk space required
11 GB is used for log storage
Used for managing firewall configuration and logs are forwarded but limited
disk space.
2.
Panorama mode
i.
8.0 and later, VM Panorama can be configured in mixed.
ii.
What is mixed mode?
1.
iii.
Cannot be configured as a dedicated logger.
iv.
81GB system disk space is required
v.
3.
Can be used to manage firewalls and be
configured as a log collector
Virtual disks can be added for log collection. Each disk can be upto
2TB.
Management Only mode
a.
Introduced from PANOS 8.1
b.
Minimum requirement is 4 CPU and 8 GB memory
c.
It is only responsible for managing the firewalls.
d.
Log collection is not supported.
e.
4.
A panorama running in Management-Only mode will not have any
internal log-collector. So, Panorama will drop incoming device logs from
devices.
Log Collector mode
a.
Introduced in 8.1 and later.
b.
Minimum requirement 16gb memory and 8 CPU's
c.
All collectors in collector group must be same platform.
d.
Each virtual disk should be 2 GB up to 12 disks.
e.
NFS is not supported
varrcvr
ha_agent
ikemgr
rasmgr
routed
dhcpd
logrcvr
websrvr
sslmgr
satd
authd
pppoed
dnsproxyd
cryptod
sslvpn
l2ctrld
useridd