«

»

Jul 30

Palo Alto Firewall – Split-brain issue

Categories:

Firewall, Palo Alto

by admin

High Availability (HA) configuration is recommended to ensure availability of the network and most companies and organizations use device pairs to achieve this goal. In some instances HA may cause unexpected issues even configuration and physical cabling is correct.

One of the most common issues is called Split-brain.

Palo Alto Networks uses a private heartbeat link to monitor the health and status of each node in a high availability cluster. Split-brain occurs when the private link goes down, but the cluster nodes are still up. Each node believes that the other is no longer functioning and attempts to start services that the other is running. In some instances the link may not be down, but due to high load on the dataplane, heartbeats may be missed.

Resolution
To prevent split-brain due to missed heartbeats, the Heartbeat Backup option should be selected when configuring HA. By selecting this option, the firewalls will use the management ports to provide a backup path for heartbeat and hello messages. The option is found on the WebUI under:
Device > High Availability > General > Election Settings

paloalto-splitbrain

Follow me!

This post has no tag

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>