Академический Документы
Профессиональный Документы
Культура Документы
Rajesh Saini
CNSE6 #843274
23 April 2016
Course outline
PAN-201
23 April 2016
Module 5: App-ID
App-ID Overview
Application Groups and Filters
Module 6: Content-ID
Antivirus
Anti-spyware
Vulnerability
URL Filtering
Module 8: Decryption
Certificate Management
Outbound SSL Decryption
Inbound SSL Decryption
23 April 2016
Module 9: User-ID
Enumerating Users
Mapping Users to IP addresses
User-ID Agent
Module 1
Palo Alto Networks next-generation firewalls are based on a unique Single Pass Parallel
Processing (SP3) Architecture which enables high-throughput, low-latency network
security.
Palo Alto Networks solves the performance problems that plague todays security
infrastructure with the SP3 architecture, which combines two complementary
components:
Single Pass software
Parallel Processing hardware
23 April 2016
23 April 2016
Networking: routing, flow lookup, stats counting, NAT, and similar functions are
performed on network-specific hardware
User-ID, App-ID, and policy all occur on a multi-core security engine with
hardware acceleration for encryption, decryption, and decompression.
Content-ID content analysis uses dedicated, specialized content scanning engine
On the control plane, a dedicated management processor (with dedicated disk
and RAM) drives the configuration management, logging, and reporting without
touching data processing hardware.
The combination of Single Pass software and Parallel Processing hardware is
completely unique in network security, and enables Palo Alto Networks nextgeneration firewalls to restore visibility and control to enterprise networks at very
high levels of performance.
23 April 2016
23 April 2016
10
23 April 2016
11
Flow Logic
23 April 2016
12
23 April 2016
13
23 April 2016
14
Note: The firewall must have Internet access so that it can download licenses and the
latest version of PAN-OS. You should also ping the server from which you will
download licenses and updates: updates.paloaltonetworks.com.
23 April 2016
15
Module 2
16
You will now activate your licenses. Go to Device > Licenses. The following screen will
appear
Select Activate feature using authorization code. Locate the email you received
from Palo Alto Networks customer service that lists the subscriptions you
purchased, and the associated activation codes. Enter the codes now. After you
enter each code, confirm that the license was accepted as follows.
23 April 2016
17
23 April 2016
18
Confirm that the device is registered and has access to the update server.
Go to Device > Software. You will see the message Error: No update information
available. At the bottom of the page, click Check Now. If you receive an error that the
device is not registered, or some other error, you need to troubleshoot connectivity
before you proceed.
If there are no errors, a list of the latest versions of PAN-OS will appear:
23 April 2016
19
To download the latest databases, select Device > Dynamic Updates and click Check
Now. You will see an updated list of the various databases. Your screen will look similar
to the following:
23 April 2016
20
Administrative
A role defines the type of access the associated administrator has to the system.
There are two types of roles you can assign:
21
Module 3
23 April 2016
22
23 April 2016
23
23 April 2016
24
23 April 2016
25
23 April 2016
26
Virtual Routers
Virtual routers allow for you to segment routing updates in and from the
firewall/router.
The firewall uses virtual routers to obtain routes to other subnets by manually
defining a route (static routes) or through participation in Layer 3 routing
protocols (dynamic routes). The best routes obtained through these methods
are used to populate the firewalls IP route table. When a packet is destined
for a different subnet, the Virtual Router obtains the best route from this IP
route table and forwards the packet to the next hop router defined in the
table.
23 April 2016
27
23 April 2016
28
23 April 2016
29
Navigation GUI
23 April 2016
30
Module 4
Security Policy
23 April 2016
31
23 April 2016
32
NAT
Network address translation (NAT) was designed to address the depletion of the IPv4
address space. Since then NAT is not only used to conserve available IP addresses, but
also as a security feature to hide the real IP addresses of hosts, securely providing
private LAN users access to the public addresses.
23 April 2016
33
Life of a packet.
The following diagram captures the packet processing sequence when NAT is involved.
23 April 2016
34
23 April 2016
35
23 April 2016
36
23 April 2016
37
23 April 2016
38
23 April 2016
39
23 April 2016
40
23 April 2016
41
23 April 2016
42
23 April 2016
43
23 April 2016
44
23 April 2016
45
23 April 2016
46
23 April 2016
47
23 April 2016
48
23 April 2016
49
23 April 2016
50
23 April 2016
51
23 April 2016
52
23 April 2016
53
23 April 2016
54
23 April 2016
55
23 April 2016
56
23 April 2016
57
23 April 2016
58
23 April 2016
59
23 April 2016
60
23 April 2016
61
23 April 2016
62
23 April 2016
63
23 April 2016
64
23 April 2016
65
23 April 2016
66
23 April 2016
67
23 April 2016
68
Module 5
APP ID
Traffic classification is at the heart of any firewall because your
classifications form the basis of your security policies.
Traditional firewalls classify traffic by port and protocol
Simply put, the traffic classification limitations of port-based
firewalls make them unable to protect today's networks. That's
why Palo Alto developed App-ID
23 April 2016
69
70
Finally, App-ID's behavioral botnet report and logging tools can tell you if the traffic
is a threat and take an appropriate action if it is
23 April 2016
71
Module 6
Content-ID provides you with fully integrated protection from vulnerability exploits,
malware and malware-generated command-and-control traffic. Palo Alto Networks
analysis, threat prevention is applied in full application and protocol context across
all your traffic and ports to ensure that threats are detected and blocked, despite
evasion attempts.
Our threat prevention technologies include:
IPS IPS functionality blocks vulnerability exploits, buffer overflows, DoS attacks and
port scans. Additional capabilities, like blocking invalid or malformed packets, IP
defragmentation and TCP reassembly, protect you from the evasion and obfuscation
methods used by attackers.
Stream-based Network Antivirus Palo Alto Networks maintains a database of more
than 15 million samples of malware. Every day we analyze an additional 50,000 samples.
Malware is detected by a stream-based engine that blocks in-line at very high speeds.
Malware enforcement is available to you across a variety of protocols including HTTP,
SMTP, IMAP, POP3, FTP and SMB.
23 April 2016
72
URL Filtering
73
The data filtering features in Content-ID enable you to implement policies that reduce the
risks associated with the transfer of unauthorized files and data.
File blocking by type: Control the flow of a wide range of file types by looking deep within
the payload to identify the file type (as opposed to looking only at the file extension).
Data filtering: Control the transfer of sensitive data patterns such as credit card and social
security numbers in application content or attachments.
File transfer function control: Control file transfer functionality within an individual
application, allowing application use while preventing undesired inbound or outbound file
transfers
23 April 2016
74
WildFire:
Module 7
Protection from unknown malware and zero-day exploits Criminals have increasingly
turned to unknown malware and exploits to avoid traditional security controls. Palo Alto
Networks has addressed this challenge with WildFire, which identifies unknown malware,
zero-day exploits, and Advanced Persistent Threats (APTs) by observing their actual
behavior in a virtualized environment, instead of relying solely on pre-existing signatures
Integration of Firewall and the Cloud: To support dynamic malware analysis across the
network at scale, WildFire is built on a cloud-based architecture that can be leveraged by
your existing Palo Alto Networks next-generation firewall, with no additional hardware. The
in-line firewall captures unknown files and performs enforcement while maintaining high
network throughput and low latency.
WildFire Virtualized Sandbox: WildFire is an advanced, virtual malware analysis
environment, purpose-built for high fidelity hardware emulation, analyzing suspicious
samples as they execute. The cloud-based service detects and blocks targeted and unknown
malware, exploits, and outbound C2 activity by observing their actual behavior, rather than
relying on pre-existing signatures.
Automated Signature Generator: When a sample is identified as malicious, WildFire
automatically generates protections and delivers them to all WildFire customers globally in
as little as 30 minutes.
23 April 2016
75
23 April 2016
76
Module 7
Decryption
Palo Alto Networks firewalls provide the capability to decrypt and inspect traffic for
visibility, control, and granular security. Decryption on a Palo Alto Networks firewall
includes the capability to enforce security policies on encrypted traffic, where otherwise
the encrypted traffic might not be blocked and shaped according to your configured
security settings. Use decryption on a firewall to prevent malicious content from entering
your network or sensitive content from leaving your network concealed as encrypted
traffic
Decryption Concepts
To learn about keys and certificates for decryption, decryption policies, and
decryption port mirroring, see the following topics:
23 April 2016
77
For example, if an employee is using her Gmail account from her corporate office and
opens an email attachment that contains a virus, SSL Forward Proxy decryption will
prevent the virus from infecting the client system and entering the corporate network.
With SSL Forward Proxy decryption, the firewall resides between the internal client and
outside server. The firewall uses Forward Trust or Forward Untrust certificates to
establish itself as a trusted third party to the session between the client and the server
23 April 2016
78
23 April 2016
79
For example, if an employee is remotely connected to a web server hosted on the company
network and is attempting to add restricted internal documents to his Dropbox folder
(which uses SSL for data transmission), SSL Inbound Inspection can be used to ensure that
the sensitive data does not move outside the secure company network by blocking or
restricting the session.
Configuring SSL Inbound Inspection includes importing the targeted servers certificate
and key on to the firewall. Because the targeted servers certificate and key are imported
on the firewall, the firewall is able to access the SSL session between the server and the
client and decrypt and inspect traffic transparently, rather than functioning as a proxy. The
firewall is able to apply security policies to the decrypted traffic, detecting malicious
content and controlling applications running over this secure channel
23 April 2016
80
23 April 2016
81
SSH Proxy
SSH Proxy provides the capability for the firewall to decrypt inbound and outbound SSH
connections passing through the firewall, in order to ensure that SSH is not being used to
tunnel unwanted applications and content. SSH decryption does not require any
certificates and the key used for SSH decryption is automatically generated when the
firewall boots up. During the boot up process, the firewall checks to see if there is an
existing key. If not, a key is generated. This key is used for decrypting SSH sessions for all
virtual systems configured on the device. The same key is also used for decrypting all SSH
v2 sessions.
In an SSH Proxy configuration, the firewall resides between a client and a server. When
the client sends an SSH request to the server, the firewall intercepts the request and
forwards the SSH request to the server. The firewall then intercepts the servers response
and forwards the response to the client, establishing an SSH tunnel between the firewall
and the client and an SSH tunnel between the firewall and the server, with firewall
functioning as a proxy.
23 April 2016
82
Content and threat inspections are not performed on SSH tunnels; however, if SSH
tunnels are identified by the firewall, the SSH tunneled traffic is blocked and restricted
according to configured security policies.
23 April 2016
83
Decryption Exceptions
Traffic can also be excluded from decryption according to matching criteria (using a
encryption policy), a targeted servers traffic can be excluded from decryption.
You can use a decryption policy to exclude traffic from decryption based on source,
destination, service, and URL category.
For example, with SSL decryption enabled, you can exclude traffic that is categorized as
financial or health-related from decryption, using the URL category selection.
you can exclude those servers from decryption by importing the server certificate on to
the firewall and modifying the certificate to be an SSL Exclude Certificate
23 April 2016
84
This feature is necessary for organizations that require comprehensive data capture for
forensic and historical purposes or data leak prevention (DLP) functionality. Decryption
port mirroring is available on PA-7050, PA-5000 Series and PA-3000 Series platforms only
and requires that a free license be installed to enable this feature
23 April 2016
85
Policy-Based Forwarding
Normally, the firewall uses the destination IP address in a packet to determine the
outgoing interface. The firewall uses the routing table associated with the virtual router
to which the interface is connected to perform the route lookup. Policy-Based
Forwarding (PBF) allows you to override the routing table, and specify the outgoing
or egress interface based on specific parameters such as source or destination IP
address, or type of traffic.
23 April 2016
86
23 April 2016
87
PBF Example
NAT Rule
Security Rule
23 April 2016
88
PBF Rule
Routing
You need to configure the default route toward backup ISP 192.168.138.1 from
eth1/4
23 April 2016
89
DOS Protection
A Denial of Service (DoS) attack is an attempt to disrupt network services by
overloading the network with unwanted traffic. PAN-OS DoS protection features
protect your firewall and in turn your network resources and devices from being
exhausted or overwhelmed in the event of network floods, host sweeps, port scans and
packet based attacks. The DoS protection features provide flexibility by varying the
granularity of protection and provide usability through a variety of options that cover
most of the attacks in the current DoS landscape.
23 April 2016
90
23 April 2016
91
DOS Protection
A DoS protection policy can be used to accomplish some of the same things a Zone protection
policy does but there are a few key differences:
A major difference is a DoS policy can be classified or aggregate. Zone protection policies can
be aggregate.
1) Classified profile allows the creation of a threshold that applies to a single source IP.
For example, a max session rate per IP can be created for all traffic matching the policy,
then block that single IP address once the threshold is triggered
2) Aggregate profile allows the creation of a max session rate for all packets matching
the policy. The threshold applies to new session rate for all IPs combined. Once the
threshold is triggered it would affect ALL traffic matching the policy.
Zone protection policies allow the use of flood protection and have the ability to protect
against port scanning\sweeps and packet based attacks.
A few examples are IP spoofing, fragments, overlapping segments, reject tcp-non-syn Zone
protection profiles may have less performance impact since they are applied pre-session and
dont engage the policy engine.
23 April 2016
92
DoS Protection Rules A DoS rule provides multiple keys or criteria to apply DoS
protection in a granular and flexible fashion. It also provides a way to have different
criteria than the ones used in a security rule to be applied for a DoS profile. However
there is an additional lookup involved in the process. DoS rules are applied before
security policy lookup (slow-path), but after destination zone determination.
23 April 2016
93
Note: Zone protection is only enforced when there is no session match for the packet. If
the packet matches an existing session, it will bypass the zone protection setting.
23 April 2016
94
Module 8
User ID
The Palo Alto Networks next-generation firewall supports monitoring of the following
enterprise services:
23 April 2016
95
23 April 2016
96
23 April 2016
97
Module 9
VPN Deployments
The Palo Alto Networks firewall supports the following VPN deployments:
Site-to-Site VPN A simple VPN that connects a central site and a remote site, or a hub
and spoke VPN that connects a central site with multiple remote sites. The firewall uses
the IP Security (IPsec) set of protocols to set up a secure tunnel for the traffic between the
two sites. See Site-to-Site VPN Overview.
Remote User-to-Site VPNA solution that uses the GlobalProtect agent to allow a remote
user to establish a secure connection through the firewall. This solution uses SSL and IPSec
to establish a secure connection between the user and the site. Refer to the GlobalProtect
Administrators Guide.
Large Scale VPN The Palo Alto Networks GlobalProtect Large Scale VPN (LSVPN) provides
a simplified mechanism to roll out a scalable hub and spoke VPN with up to 1024 satellite
offices. The solution requires Palo Alto Networks firewalls to be deployed at the hub and
at every spoke. It uses certificates for device authentication, SSL for securing
communication between all components, and IPSec to secure data. See Large Scale VPN
(LSVPN).
23 April 2016
98
23 April 2016
99
23 April 2016
100
IKE Gateway
Tunnel Interface
Tunnel Monitoring
Internet Key Exchange (IKE) for VPN
IKE Gateway
The Palo Alto Networks firewalls or a firewall and another security device that initiate and
terminate VPN connections across the two networks are called the IKE Gateways. To set
up the VPN tunnel and send traffic between the IKE Gateways, each peer must have an IP
addressstatic or dynamicor FQDN. The VPN peers use preshared keys or certificates
to mutually authenticate each other.
23 April 2016
101
The peers must also negotiate the modemain or aggressivefor setting up the
VPN tunnel and the SA lifetime in IKE Phase 1. Main mode protects the identity of
the peers and is more secure because more packets are exchanged when setting
up the tunnel.
Main mode is the recommended mode for IKE negotiation if both peers support it.
Aggressive mode uses fewer packets to set up the VPN tunnel and is hence faster
but a less secure option for setting up the VPN tunnel
Tunnel Interface
To set up a VPN tunnel, the Layer 3 interface at each end must have a logical tunnel
interface for the firewall to connect to and establish a VPN tunnel
Typically, the Layer 3 interface that the tunnel interface is attached to belongs to an
external zone.
for example :the untrust zone. While the tunnel interface can be in the same security zone as the
physical interface, for added security and better visibility, you can create a separate zone
for the tunnel interface. If you create a separate zone for the tunnel interface, say a VPN
zone, you will need to create security policies to enable traffic to flow between the VPN
zone and the trust
23 April 2016
102
To route traffic between the sites, a tunnel interface does not require an IP address. An IP
address is only required if you want to enable tunnel monitoring or if you are using a
dynamic routing protocol to route traffic across the tunnel. With dynamic routing, the
tunnel IP address serves as the next hop IP address for routing traffic to the VPN tunnel.
If you are configuring the Palo Alto Networks firewall with a VPN peer that performs policybased VPN, you must configure a local and remote Proxy ID when setting up the IPSec
tunnel. Each peer compares the Proxy-IDs configured on it with what is actually received in
the packet in order to allow a successful IKE phase 2 negotiation. If multiple tunnels are
required, configure unique Proxy IDs for each tunnel interface; a tunnel interface can have
a maximum of 250 Proxy IDs.
Tunnel Monitoring
For a VPN tunnel, you can check connectivity to a destination IP address across the tunnel. The
network monitoring profile on the firewall allows you to verify connectivity (using ICMP) to a
destination IP address or a next hop at a specified polling interval, and to specify an action on
failure to access the monitored IP address.
If the destination IP is unreachable, you either configure the firewall to wait for the tunnel to
recover or configure automatic failover to another tunnel. In either case, the firewall generates a
system log that alerts you to a tunnel failure and renegotiates the IPSec keys to accelerate
recovery.
The default monitoring profile is configured to wait for the tunnel to recover; the polling interval
is 3 seconds and the failure threshold is 5.
23 April 2016
103
23 April 2016
104
IKE Phase 1
The IKE Phase 1 is responsible for tunnel up
The IKE-crypto profile defines the following options that are used in the IKE SA
negotiation:
Diffie-Hellman (DH) Group for generating symmetrical keys for IKE. The Diffie Hellman
algorithm uses the private key of one party and the public key of the other to create a
shared secret, which is an encrypted key that is shared by both VPN tunnel peers. The
DH groups supported on the firewall are: Group 1768 bits; Group 21024 bits (the
default); Group 51536 bits; Group 142048 bits.
Authentication optionssha1; sha 256; sha 384; sha 512; md5
23 April 2016
105
IKE Phase 2
The IKE Phase 2 is responsible for data transfer
After the tunnel is secured and authenticated, in Phase 2 the channel is further secured
for the transfer of data between the networks. IKE Phase 2 uses the keys that were
established in Phase 1 of the process and the IPSec Crypto profile, which defines the IPSec
protocols and keys used for the SA in IKE Phase 2.
The IPSEC uses the following protocols to enable secure communication:
Encapsulating Security Payload (ESP)Allows you to encrypt the entire IP packet,
and authenticate the source and verify integrity of the data. While ESP requires that
you encrypt and authenticate the packet, you can choose to only encrypt or only
authenticate by setting the encryption option to Null; using encryption without
authentication is discouraged.
Authentication Header (AH)Authenticates the source of the packet and verifies
data integrity. AH does not encrypt the data payload and is unsuited for deployments
where data privacy is important. AH is commonly used when the main concern is to
verify the legitimacy of the peer, and data privacy is not required.
23 April 2016
106
23 April 2016
107
23 April 2016
108
LSVPN Overview
GlobalProtect provides a complete infrastructure for managing secure access to corporate
resources from your remote sites. This infrastructure includes the following components:
GlobalProtect PortalProvides the management functions for your GlobalProtect LSVPN
infrastructure. Every satellite that participates in the GlobalProtect LSVPN receives
configuration information from the portal, including configuration information to enable the
satellites (the spokes) to connect to the gateways (the hubs). You configure the portal on an
interface on any Palo Alto Networks next-generation firewall.
GlobalProtect GatewaysA Palo Alto Networks firewall that provides the tunnel end point
for satellite connections. The resources that the satellites access is protected by security
policy on the gateway. It is not required to have a separate portal and gateway; a single
firewall can function both as portal and gateway.
GlobalProtect SatelliteA Palo Alto Networks firewall at a remote site that establishes IPSec
tunnels with the gateway(s) at your corporate office(s) for secure access to centralized
resources. Configuration on the satellite firewall is minimal, enabling you to quickly and
easily scale your VPN as you add new sites.
23 April 2016
109
23 April 2016
110
23 April 2016
111
Module 10
Reports and Logging
The firewall provides reports and logs that are useful for monitoring activity on your network.
You can monitor the logs and filter the information to generate reports with predefined or
customized views. You can, for example, use the predefined templates to generate reports on
a users activity or analyze the reports and logs to interpret unusual behavior on your network
and generate a custom report on the traffic pattern.
The following topics describe how to view, manage, customize, and generate the reports and
logs on the firewall:
23 April 2016
Module 11
High Availability
High availability (HA) is a configuration in which two firewalls are placed in a group and
their configuration is synchronized to prevent a single point to failure on your network
The Palo Alto Networks firewalls support stateful active/passive or active/active high
availability with session and configuration synchronization. Some models of the firewall,
such as the VM-Series firewall and the PA-200, only support HA lite without session
synchronization capability
When a failure occurs on the active device and the passive device takes over the task of securing
traffic, the event is called a failover. The conditions that trigger a failover are:
One or more of the monitored interfaces fail. (Link Monitoring)
One or more of the destinations specified on the device cannot be reached. (Path Monitoring)
The device does not respond to heartbeat polls. (Heartbeat Polling and Hello messages)
23 April 2016
113
HA Concepts
The following topics provide conceptual information about how HA works on a Palo Alto
Networks firewall:
HA Modes
HA Links and Backup Links
Device Priority and Preemption
Failover Triggers
HA Timers
HA Modes
23 April 2016
114
The PA-200 and the VM-Series firewalls support a lite version of active/passive HA.
HA lite provides configuration synchronization and some runtime data
synchronization such as IPSec security associations. It does not support any session
synchronization, and therefore, HA Lite does not offer stateful failover.
Active/Active Both the devices in the pair are active and processing traffic, and
work synchronously to handle session setup and session ownership. The active/active
deployment is supported in virtual wire and Layer 3 deployments, and is only
recommended for networks with asymmetric routing
23 April 2016
115
The devices in an HA pair use HA links to synchronize data and maintain state information.
Some models of the firewall have dedicated HA portsControl link (HA1) and Data link
(HA2), while others require you to use the in-band ports as HA links.
On devices with dedicated HA ports such as the PA-3000 Series, PA-4000 Series, PA-5000
Series, and PA-7050
use the dedicated HA ports to manage communication and synchronization between the
devices. For devices without dedicated HA ports such as the PA-200, PA-500, and PA-2000
Series firewalls, as a best practice use the management port for the HA1 link to allow for a
direct connection between the management planes on the devices, and an in-band port for
the HA2 link
23 April 2016
116
Control Link: The HA1 link is used to exchange hellos, heartbeats, and HA state
information, and management plane sync for routing, and User-ID information. This
link is also used to synchronize configuration changes on either the active or passive
device with its peer. The HA1 link is a Layer 3 link and requires an IP address.
Ports used for HA1: TCP port 28769 and 28260 for clear text communication; port 28
for encrypted communication (SSH over TCP).
Data Link: The HA2 link is used to synchronize sessions, forwarding tables, IPSec
security associations and ARP tables between devices in an HA pair. Data flow on the
HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the
active device to the passive device.
Ports used for HA2: The HA data link can be configured to use either IP (protocol
number 99) or UDP (port 29281) as the transport, and thereby allow the HA data link
to span subnets.
Additionally, an HA3 link is used in Active/Active HA deployments. When there is an
asymmetric route, the HA3 link is used for forwarding packets to the HA peer that owns
the session. The HA3 link is a Layer 2 link and it does not support Layer 3 addressing or
encryption
23 April 2016
117
Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are
used as backup links for both HA1 and HA2.
Consider the following guidelines when configuring backup HA links:
The IP addresses of the primary and backup HA links must not overlap each other.
HA backup links must be on a different subnet from the primary HA links.
HA1-backup and HA2-backup ports must be configured on separate physical ports.
The HA1-backup link uses port 28770 and 28260.
Device Priority and Preemption
The devices in an HA pair can be assigned a device priority value to indicate a
preference for which device should assume the active role and manage traffic
The device with the lower numerical value, and therefore higher priority, is designated
as active and manages all traffic on the network.
By default, preemption is disabled on the firewalls and must be enabled on both
devices. When enabled, the preemptive behavior allows the firewall with the higher
priority (lower numerical value) to resume as active after it recovers from a failure
23 April 2016
118
23 April 2016
119
The format of the virtual MAC is 00-1B-17:00: xx: yy where 00-1B-17: vendor ID; 00:
fixed; xx: HA group ID; yy: interface ID.
When a new active device takes over, Gratuitous ARPs are sent from each of the
connected interfaces of the new active member to inform the connected Layer 2
switches of the virtual MAC address new location.
If using in-band ports, the interfaces for the HA1 and HA2 links must be set to type HA.
The HA mode must be set to Active Passive.
If required, preemption must be enabled on both devices. The device priority value,
however, must not be identical.
If required, encryption on the HA1 link (for communication between the HA peers)
must be configured on both devices.
23 April 2016
120
Thank You
Rajesh Saini
+91 9999331177
23 April 2016
121