Keep Alive via Firewall Lan Interface

For AWS, LAN or Management interface can be used for firewall health check and failure detection.

By default, Aviatrix Controller check the firewall’s health by pinging the firewall’s management IP address. Starting 6.0, firewall instance’s health can also be checked by pinging its LAN interface from the connecting Aviatrix FireNet Gateway. This is an alternative approach which improves firewall failure detection time and detection accuracy.

The mechanism is that the FireNet Gateway pings the firewall instance’s LAN interface every 5 seconds with a ping time out of 20ms. If the first ping times out, it immediately pings again. Two consecutive ping failures indicates the firewall is in down state and it is detached from the FireNet Gateway pool. The ping functions continues and it detects the firewall instance has come up by successful pings, it is attached back to the FireNet Gateway pool.

With LAN interface pinging, the firewall instance fail over time is reduced.

The following details describe how to enable ping on the firewall instance LAN interface.

Enabling ICMP on Firewall Devices

Palo Alto Network

  1. Go to Network > Network Profiles > Interface Mgmt and create profile to allow ping.

pan_network_profile
  1. Go to Network > Interfaces, select Ethernet 1/2, go to the Advanced tab > Management Profile and select the profile just created in the step above.

pan_lan_attach
  1. Commit changes.

Panorama

Configure stack similar to Palo Alto Network shown above.

Check Point

Go to SmartConsole > Global Properties > Firewall > Accept ICMP requests.

cp_ping_enable_1
cp_ping_enable_2