3.2 Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring

Information

Configure Link Monitoring and/or Path Monitoring under High Availability options. If Link Monitoring is utilized, all links critical to traffic flow should be monitored.

Rationale:

If Link or Path Monitoring is not enabled, the standby router will not automatically take over as active if a critical link fails on the active firewall. Services through the firewall could become unavailable as a result.

Impact:

Not configuring High Availability (HA) correctly directly impacts the Availability of the system. With HA in place, standard maintenance such as OS updates, network and power cabling can be accomplished with no outage or a minimum impact.

Without Link and Path monitoring in particular, failover will only occur when the primary device fails completely. Link and path monitoring permits failover if a critical interface loses link (either due to cabling or an upstream switch failover), or if a route or path fails (indicating an upstream issue that affects local Layer 3).

Solution

To set Link Monitoring from GUI:
Navigate to Device > High Availability > Link and Path Monitoring.
Click Link Monitoring.
Set the correct interfaces to the Link Group and Group Failure Conditions.
Click Link Monitoring.
Set Failure Condition to Any.
Check Enabled button.
To set Path Monitoring from GUI:
Navigate to Device > High Availability > Link and Path Monitoring.
Click Path Monitoring.
Set Option correctly.
Set Failure Condition to Any.
Set Name, IP Address, Failure Condition correctly.
Set Default setting to Any.
Check Enabled button.

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/13792

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-13(5)

Plugin: Palo_Alto

Control ID: 01833f51f02552ebd584a376e101dd01799064c45a1db211b26aeea66e5ab2df