Cluster has preemption enabled for Palo Alto Networks


Palo Alto Networks


Preemption is generally a bad idea in clustering, although sometimes it is the default setting. Indeni will alert if it's on.

Remediation Steps

It is generally best to have preemption disabled. Instead, once this device returns from a crash, you can conduct the failover manually.

Palo Alto Networks firewalls have a special way of handling preemption loops, review the following article:
Understanding Preemption with the Configured Device Priority in HA Active/Passive Mode.

How does this work?

This script uses the Palo Alto Networks API to retrieve the status of the high availability function of this cluster member and specifically the preemption setting.

Why is this important?

Preemption is a function in clustering which sets a primary member of the cluster to always strive to be the active member. The trouble with this is that if the active member that is set with preemption on has a critical failure and reboots, the cluster will fail over to the secondary and then immediately fail over back to the primary when it completes the reboot. This can result in another crash and the process would happen again and again in a loop. The Palo Alto Networks firewalls have a means of dealing with this ( ) but it is generally a good idea not to have the preemption feature enabled.

Without Indeni how would you find this?

Going into a preemption loop is difficult to detect. Normally an administrator will notice service disruption. Then through manual inspection the administrator will determine there is a preemption loop.

View Source Code