1) No benefits, l know it adds only complexity through l never done it before. Only useful as a temp fix while you dealing with the asymmetric routing on the network.
2) Keys and certs will be migrated (keys are encrypted with the master key on palo)
@CTaveras Just be aware that PAN-OS 8.0.x is the minimum OS version for the new platforms 220, 800 series and 5200 series.
Other than that, I agree with some of the other comments such as:
1. Be aware of potential proxy arp configuration on upstream routers. it may break the NAT functionality. If you have static or proxy arp on upstream routers make sure to remove it before starting to test especially the NAT rules.
2. Make sure to configure the Active/Passive Settings as Auto instead of Shutdown. The reason for that is because in the shutdown state, upstream and downstream devices connected to the passive device will not see a valid path until the passive firewall becomes active. That may be a little frustrating because the failover may be delayed a few seconds longer, which may be unnaceptable for some businesses.
3. Also be aware of the preemption feature. If your firewalls are connected to two different ISPs and both have different bandwidths, typically you want the firewall connected to the higher bandwidth to always be the Active firewall in the HA pair. In this case you may want to enable the preemtion feature and configure a timer on it.
For more advises on HA optimization and configuration please refer to the following document:
I hope this helps.
We will def have 2 ISP but using both simultaniously.
Some one mentioned something about Virtual MAC when in HA...I assume that was for the External interface?
What about the Trusted port does that also get a Virtual MAC?
@Willian I notice that although I set the Passive link state on the Active FW to Auto, the Passive has not sync'd this change.
Is this expected behavior or does the passive device also need this setting? I read the Doc you linked and it doesnt mention anything about the passive device.
Yes expected. These settings are local:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!