HA failover on Acitve Passive concerns

TimothyL_MTS — Wed, 22 Apr 2026 23:38:21 GMT

Hello all,

I would like to get some idea/thoughts about the current setup on my two PA1410 Active/Passive FW failover concerns.

Few weeks ago, our Active FW has some issues and hung on the data plane. I found there was some missing configurations on our network side so the Failover didn't work at all. So eventually I resumed it, and raised the support case and found out that the FWs hit the bugs and will need to upgrade the PANOS to newer version.

Last week, I fixed the networking issue, and tested the failover. It works fine. But with few concerns that may need to figure out before the upgrade on the OS.

1. The failover from Active to Passive takes around 10 seconds and roughly 7 pings before the network connection resumed.

2. To trigger the first failover from Active to Passive, I used the Operation Commands in the Active FW GUI to Suspend local to the HA. After the checking and testing completed, I tried to Resume the Active FW, so I click the Resume link in Operation Commands. I expected that it will be automatically Failback to Active from the Passive FW. But I wait for another 3 minutes, it still running in the Passive. So I click the Suspend local to the HA in the Passive FW. Then the failback resumed back to normal.

For the Issue 1, I am not quite sure the parameters and values are not configured properly.

For Issue 2, I checked that the Preemptive option was not ticked in the Passive FW. It looks like this is the cause as the HA doc saying that this option must be ticked for both FWs.

Here I tried to attached the details on the HA section.

	PAN01	PAN02
Mode	Active-Passive	Active-Passive
Local status	Active	Passive
Peer status	Passive	Active
HA1	UP	UP
HA1 Backup	UP	UP
HA2	UP	UP

Enable HA	Tick	Tick
Group ID	10	10
Active/Passive Settings
Passive Link State	shutdown	shutdown
Monitor Fail Hold Down Time	1 min	1 min
Ele_tion Settings
Device Priority	100	110
Preemptive	Tick	Tick
Heartbeat Backup	Not Tick	Not Tick
HA Timer Settings	Recommended	Recommended
HA1
Port	ha1-a	ha1-a
Monitor Hold Time	3000 ms	3000 ms
HA2
Enable Session Syn	Tick	Tick
Port	hsci	hsci
Transport	ethernet	ethernet
HA2 keep-alive	Not Tick	Not Tick
HA1 Backup
Port	ha1-b	ha1-b
Link and Path Monitoring
Link Monitoring	Enabled	Enabled
Link Monitoring - Failure Condition	any	any
Link Group	Not defined	Not defined
Path Monitoring	Enabled	Enabled
Path Monitoring - Failure Condition	any	any
Path Group	Not defined	Not defined

Thank you in advance.

Have a great day.

Timothy

Re: HA failover on Acitve Passive concerns

reaper — Thu, 23 Apr 2026 07:43:18 GMT

Hi !

sounds like your failover is taking quite a lot of time, are you using LACP links or dynamic routing?

To speed up your failover time, you can make a few small adjustments:

- set passive link state to 'auto' so the interface is already 'on'

- if you have LACP/LAG interfaces, see if you can enable 'enable in HA passive state'

this will ensure your interfaces are already up and connected before a failover happens

check if your switch has some sort of ARP hold timers that could prevent the MAC address of the firewalls to hop to a different port when there is a failover

- in the event of a failover, the virtual MAC addresses used by the primary firewall's interfaces are taken over by the secondary unit and it starts sending out gratuitous ARP messages to remap ARP tables, but your switch may not agree

preempt will help fall back to the primary unit after a short outage, but for longer outages you will still need to fail back manually

hope this helps

topic HA failover on Acitve Passive concerns in Next-Generation Firewall Discussions

HA failover on Acitve Passive concerns

Re: HA failover on Acitve Passive concerns