topic Re: Regarding the Operational Specifications for HA Mode in Next-Generation Firewall Discussions

Regarding the Operational Specifications for HA Mode

n-tomo — Wed, 26 Nov 2025 05:13:08 GMT

I am reviewing the operational specifications for HA mode. Could you please clarify the following points?

<Device Information>
Model: PA-3420 (2-unit HA configuration)
OS Version: 11.1.6-h10
Interface Information: Onboard (2 ports), Optical SFP10G (3 ports)
HA Ports: HA1-A,B
　　　　 HA2 Eth1/21,1/22 (Optical SFP10G)

Please confirm whether my understanding of the operational specifications for Shutdown mode and Auto mode in HA mode is correct.

- Behavior During Failover
Shutdown mode: All ports link up from scratch
Auto mode: Port states are preserved, resulting in faster failover

- Link-up Sequence
Shutdown mode: Ports link up sequentially, starting from port 1
Auto mode: Existing links are retained, so sequence has no effect

- SFP Diagnostics
Shutdown Mode: Always performed at startup → Causes delay
Auto Mode: Diagnostics unnecessary → High speed

- Definition of Switchover Time
Shutdown Mode: None (slower is by design)
Auto Mode: Switchover possible in short time

- Manufacturer Recommended Settings
Shutdown Mode: Recommended (prioritizes safety)
Auto Mode: Not recommended (can be selected for speed optimization)

Is it correct to understand that in Shutdown mode, link-up delays during switching are an OS specification, and the only way to speed it up is to change to Auto mode? However, in Auto mode, ports are always open, so depending on the configuration, there are concerns such as loops?

Re: Regarding the Operational Specifications for HA Mode

n-tomo — Mon, 08 Dec 2025 01:48:49 GMT

Is my understanding of this matter incorrect?
I would appreciate it if someone could kindly respond.

Best regerds

Re: Regarding the Operational Specifications for HA Mode

n-tomo — Mon, 15 Dec 2025 05:34:48 GMT

Please take a moment to review this.

Thank you for your cooperation.

Re: Regarding the Operational Specifications for HA Mode

S.Cantwell — Wed, 17 Dec 2025 20:10:10 GMT

You mentioned “ports link up sequentially, starting from port 1” — there is no documentation that PAN-OS enforces a specific sequential order (Port1 → Port2 → …).

Actual behavior:

In Shutdown, all passive data interfaces are administratively down and only brought up when active; link up happens as normal OS initialization when the device takes over. knowledgebase.paloaltonetworks.com
In Auto, physical interfaces stay up on passive and so sequence is not a factor for failover. knowledgebase.paloaltonetworks.com

“PAN-OS does not document a strict port ordering sequence. In shutdown mode the interfaces are down, so their subsequent ‘up’ event happens during transition; in auto mode they are already up, so no sequence dependency.”

Any delay seen during a transition is due to the interface link negotiation (PHY coming up) rather than an explicit documented difference in SFP diagnostics between modes.”

Switchover speeds are influenced by whether links are already up (Auto) versus needing to be brought up (Shutdown). There is no separate switchover timer inherent to Auto mode beyond this behavior.

Palo Alto Networks recommends Shutdown as the default, especially if the firewall interfaces reside in Layer-2 networks. Auto is recommended only when interfaces do not participate in Layer-2 forwarding to avoid unexpected behavior

s it correct that in Shutdown mode delays are OS specification and only way to speed up is Auto mode?

Accurate answer:

Yes — shutdown behavior keeps passive interfaces down, requiring them to come up only when active. That adds link negotiation delay that cannot be avoided in Shutdown mode. Auto mode eliminates the need for PHY link up during failover by keeping interfaces up. knowledgebase.paloaltonetworks.com

Is there loop risk in Auto mode?

Yes — because in Auto mode, passive interfaces are reported as up and neighbors (switches) may send traffic or cause MAC/ARP learning issues if not carefully designed. That’s why documentation explicitly warns not to select Auto if you have Layer-2 interfaces configured.