Checking the Health of Your Firewall

Palo Alto VM-Series Instance Health

When vendor integration is enabled, Aviatrix CoPilot pings the individual firewall management interface every 10 seconds. If two consecutive pings fail, the firewall is declared down and is moved to "down" state. CoPilot continues to ping the management interface. If consecutive pings become successful, the firewall instance is attached back to the FireNet Gateway pool.

You can also check the health of a firewall instance by pinging its LAN interface from the connecting FireNet gateway. This alternative approach improves firewall failure detection time and accuracy. The FireNet gateway pings the LAN interface every five seconds with a ping time out of 20 milliseconds. If the first ping times out, it immediately pings again. Two consecutive ping failures indicate the firewall is in Down state and it is detached from the FireNet gateway pool. The ping function will continue, and after it detects that the firewall instance is back up (successful pings) it is reattached to the FireNet gateway pool.

Enabling Ping on VM-Series Firewall

  1. In the Palo Alto UI, go to Network > Network Profiles > Interface Mgmt and create profile to allow ping.

    pan_network_profile

  1. Go to Network > Interfaces, select Ethernet 1/2, go to the Advanced tab > Management Profile and select the profile just created in the step above.

    pan_lan_attach

  1. Commit changes.

Check Point and Fortinet Instance Health

For Check Point CloudGuard and Fortinet FortiGate, CoPilot uses AWS API to check instance health.

Enabling Ping on Check Point and Fortinet

In the Fortinet FortiGate UI, navigate to Network > Interfaces > Edit Interface and select the PING checkbox.

fortigate example ping

In the Check Point UI, navigate to SmartConsole > Global Properties > Firewall > Accept ICMP Requests.

cp ping enable one
cp ping enable two

CoPilot can also check firewall instance health on its LAN interface.

Firewall Keep Alive

Aviatrix Controller checks the health of a firewall by pinging the firewall’s management IP address. You can check the firewall instance health by pinging its LAN interface from the connecting Aviatrix FireNet Gateway. This is an alternative approach which improves firewall failure detection time and accuracy.

The firewall instance LAN is pinged every five seconds with a ping time-out of 20 seconds. If the first ping times out, it immediately pings again. Two consecutive ping failures indicate that the firewall is in 'down' state, and it is detached from the FireNet Gateway pool. The ping function continues and once it detects that the firewall instance has come up (pings are successful), it is attached back to the FireNet Gateway pool.

With LAN interface pinging, the firewall instance fail over time is reduced.

As of Controller version 7.2.4820 the Keep Alive via Firewall Lan Interface option has been removed from the Controller UI and the action is performed automatically.

Firewall Health in Azure and GCP

Adding FireNet to a Transit gateway in Azure or GCP automatically creates Load Balancers in those clouds. HTTPS in these Load Balancers performs the firewall health check (not ping). You must disable ping in the interface management profile of your Azure or GCP firewalls.

For more information on load balancing between different firewalls, see Load Balancing Traffic Between Different Firewalls.

In Azure:

  • You can check the health probe status under Monitor > Metrics. See this article for more information.

  • The State column on the Gateway page in the Aviatrix Controller only reflects if the firewall is up or not. It does not reflect if the firewall is responding to health checks. You must check the health of the firewall in the Azure portal.

In GCP:

  • You can check the health status of the backend under Network services > Load balancing > Load balancer details. See this article for more information.

  • The State column on the Gateway page in the Aviatrix Controller reflects the health status of the firewall from the GCP load balancer.