Topic starter
In a Palo Alto Networks firewall deployed in High Availability (HA) mode, performing a graceful shutdown and restart involves properly handling both the active and passive firewalls to minimize service disruption. The process ensures that the failover between the firewalls happens smoothly, and the HA pair maintains high availability during the maintenance operation.
Steps to Gracefully Shutdown and Restart a Palo Alto Firewall in HA Mode:
1. Identify the Active and Passive Units
In an HA setup, one firewall is active, handling all traffic, while the other is passive, standing by to take over in case the active unit fails.
To check the HA status and identify the active and passive units:
-
Log in to the Web Interface of the firewall.
- Navigate to Dashboard > High Availability to see the status of both units.
- The unit in the active state is the one currently processing traffic, and the unit in the passive state is idle.
-
Alternatively, you can use the CLI to verify HA status:
This will show which unit is active and which is passive.
2. Failover to the Passive Unit (Manual Failover)
Before shutting down or restarting the active firewall, you need to ensure that the passive unit becomes active to maintain service continuity.
To manually force a failover, follow these steps:
- Via Web Interface:
- Navigate to Device > High Availability > Operation.
- Click Suspend Local Device. This will force the local device to become passive and allow the other unit to take over as the active device.
- Via CLI: You can also manually suspend the local device using the following command:
This will cause the passive firewall to become active. Ensure that traffic is now passing through the passive firewall.
3. Gracefully Shut Down the Active Firewall (Now the Passive Unit)
Once failover is successful and the passive unit has taken over as active, you can proceed to shut down the firewall that was previously active.
-
Via Web Interface:
- Navigate to Device > Restart or Device > Shutdown.
- Choose the Shutdown option if you want to completely power off the firewall, or select Restart if you just want to reboot it.
-
Via CLI: To shut down the firewall gracefully, use the following command:
If you only want to reboot the device, use:
4. Wait for the Unit to Shutdown or Restart
- Once the shutdown or restart command is issued, wait for the firewall to power down or reboot.
- Note: The failover process should ensure that traffic continues to flow through the passive unit, which is now active.
5. Check HA Status
After the active firewall has been shut down or restarted, check that the passive unit (now active) is functioning correctly. Once the original active firewall comes back online, it will rejoin the HA pair as the passive unit.
- Via CLI, you can check the HA state again to ensure everything is operating as expected:
This command will show you the current HA status, indicating which unit is active and which is passive.
6. Bring the Restarted Firewall Back into HA (if it was shut down)
After the firewall that was shut down or restarted comes back online, it will automatically rejoin the HA cluster as the passive unit. You can verify this by checking the HA state.
-
Via Web Interface: Go to Device > High Availability > General and ensure that the HA pair shows both units as synchronized.
-
Via CLI: You can use the following command to verify the synchronization:
If the firewall does not automatically rejoin, you may need to manually commit the configuration or restart the HA process using the following CLI command:
This will synchronize the configurations between the two units.
Posted : 29/11/2024 6:32 pm
