Cluster has preemption enabled for Palo Alto Networks

Vendor

Palo Alto Networks

Description

Preemption is generally a bad idea in clustering, although sometimes it is the default setting. Indeni will alert if it's on.

Remediation Steps

It is generally best to have preemption disabled. Instead, once this device returns from a crash, you can conduct the failover manually.

Palo Alto Networks firewalls have a special way of handling preemption loops, review the following article:

Understanding Preemption with the Configured Device Priority in HA Active/Passive Mode.

How does this work?

This script uses the Palo Alto Networks API to retrieve the status of the high availability function of this cluster member and specifically the preemption setting.

Why is this important?

This script uses the Palo Alto Networks API to retrieve the status of the high availability function of this cluster member and specifically the preemption setting.

Without Indeni how would you find this?

Going into a preemption loop is difficult to detect. Normally an administrator will notice service disruption. Then through manual inspection the administrator will determine there is a preemption loop.


View Source Code