Today I handled an incident where a Palo Alto Firewall was reported in Suspend mode.
At first glance, it looked like a firewall failure — but the real story was deeper.
🔍 What actually happened:
Firewall entered Suspend mode due to Non-functional loop detected
Initial checks showed BGP was down (Idle state)
A manual attempt to bring the firewall up moved it to Tentative (Path Down) state
Further investigation revealed the BGP peer IP had been changed
Because of the incorrect peer IP:
BGP session never established
Routes were withdrawn
Firewall fell back to unsafe routing
Palo Alto correctly protected the network by suspending traffic
🛠 Resolution:
Corrected the BGP peer IP
BGP session moved to Established
Routes were re-learned
HA path monitoring became healthy
Firewall automatically transitioned to Functional state
🧠 Key Takeaway:
> Suspend and Tentative modes are not failures — they are safety mechanisms.
Palo Alto firewalls prefer to stop forwarding traffic rather than risk routing loops or instability.
✅ Lessons Learned:
Firewall issues often originate from routing or design changes
Never force a firewall to Functional while BGP is unstable
Always validate BGP peer configuration after changes
Strong designs fail safely — and this is a perfect example
No comments:
Post a Comment