https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-passive-failover-in-aws/m-p/1254351#M2460 <P>Hello Guys,</P><P>I am trying to configure Active-Passive (A/P) HA failover for Palo Alto VM-Series firewalls in AWS.</P><P>I have completed the HA configuration and updated the required IAM roles and permissions. Currently, the setup is partially working as expected:</P><UL><LI><P>Primary Public IP (EIP) successfully moves from Passive ENI to Active ENI during failover.</P></LI><LI><P>Route tables are also getting updated correctly after failover.</P></LI><LI><P>Traffic connectivity is working fine after failover.</P></LI></UL><P>However, I am facing an issue when using multiple UNTRUST interfaces.</P><P>Scenario:</P><UL><LI><P>I created additional UNTRUST NICs/ENIs.</P></LI><LI><P>Assigned separate Public IPs/EIPs to those ENIs for hosting different applications/services.</P></LI><LI><P>During failover, only the first UNTRUST interface Public IP moves to the Active firewall.</P></LI><LI><P>The additional UNTRUST ENI Public IPs are not moving to the Active instance.</P></LI></UL><P>Requirement:<BR />I need multiple UNTRUST NICs, each with its own Public IP/EIP, and all those EIPs should fail over automatically to the Active firewall during HA failover.</P><P>Current Environment:</P><UL><LI><P>PAN-OS Version: 12.1.4-h5</P></LI><LI><P>AWS Plugin Version: 6.1.2-h1</P></LI></UL><P>Has anyone implemented a similar design or faced this issue before? Any guidance or recommended configuration changes would be greatly appreciated.</P><P>Thank you in advance for your support.</P> Wed, 20 May 2026 05:26:44 GMT haider.rangwala 2026-05-20T05:26:44Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-passive-failover-in-aws/m-p/1254351#M2460 <P>Hello Guys,</P><P>I am trying to configure Active-Passive (A/P) HA failover for Palo Alto VM-Series firewalls in AWS.</P><P>I have completed the HA configuration and updated the required IAM roles and permissions. Currently, the setup is partially working as expected:</P><UL><LI><P>Primary Public IP (EIP) successfully moves from Passive ENI to Active ENI during failover.</P></LI><LI><P>Route tables are also getting updated correctly after failover.</P></LI><LI><P>Traffic connectivity is working fine after failover.</P></LI></UL><P>However, I am facing an issue when using multiple UNTRUST interfaces.</P><P>Scenario:</P><UL><LI><P>I created additional UNTRUST NICs/ENIs.</P></LI><LI><P>Assigned separate Public IPs/EIPs to those ENIs for hosting different applications/services.</P></LI><LI><P>During failover, only the first UNTRUST interface Public IP moves to the Active firewall.</P></LI><LI><P>The additional UNTRUST ENI Public IPs are not moving to the Active instance.</P></LI></UL><P>Requirement:<BR />I need multiple UNTRUST NICs, each with its own Public IP/EIP, and all those EIPs should fail over automatically to the Active firewall during HA failover.</P><P>Current Environment:</P><UL><LI><P>PAN-OS Version: 12.1.4-h5</P></LI><LI><P>AWS Plugin Version: 6.1.2-h1</P></LI></UL><P>Has anyone implemented a similar design or faced this issue before? Any guidance or recommended configuration changes would be greatly appreciated.</P><P>Thank you in advance for your support.</P> Wed, 20 May 2026 05:26:44 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/active-passive-failover-in-aws/m-p/1254351#M2460 haider.rangwala 2026-05-20T05:26:44Z