What is HA-Lite on Palo Alto Networks PA-200 and VM-Series Firewalls?

Printer Friendly Page

HA-Lite is the name of the high-availability feature on the PA-200 and VM-Series firewalls. It offers a lighter version of the HA capabilities found on the other Palo Alto Networks hardware platforms. A limited version of HA is necessary on PA-200s because of the limited number of ports available for synchronization.


HA-Lite offers the following capabilities:

  • A/P High Availability without session sync
  • Failover of IPSec Tunnels (sessions must be re-established)
  • DHCP Lease information
  • PPPoE lease information
  • Configuration sync
  • Layer 3 forwarding tables


Features not available in HA-Lite:

  • Jumbo Frames
  • Link Aggregation
  • A/A High Availability
  • A/P High Availability with session synchronization

Note: Configuration for HA-Lite is similar to configuring active/passive HA, except there is no configuration available for HA2. This is because HA2 is used for session sync and HA-Lite does not support session sync.


owner: apasupulati


what's the ha lite can't ?

HA Lite doesn't include any session synchronization.

Any chance routes learned from ospf are included in the layer 3 forwarding tables?

You should not have to add the routes to the firewall since the forwarding table is synchronized between the units in an Active/Passive cluster.  I think these will not show in the routing table, but they should show up in the forwarding table on the Passive device (show routing fib).  If the routes are not showing up there it might be good to open a support case.

I think I have found the problem. I'm using an ipsec tunnel, but it still has to re-establish the session during failover and thats killing the routes.

I can't get it to running.

I configured the HA1 on the Management i see the second firewall...but my internet interface with DHCP starts to make trouble...in the monitor i see traffic to unsecure network but all application are unknown and it dosn't work anymore. If i stop the cluster it works again.

Then i tried it with a Data Port as HA...same problem..as soon i commit Enable HA i loos connection to the internet...really strange.

Just wanted to update this because it still comes up in top search results for HA and VM, but full-HA with session syncronization is now available for virtual firewalls.





The following link says that HA-Lite support IPsec tunnel failover, but "sessions must be re-established" -



Here it also says that IPsec failover is supported, but what actually these mean? Will the IPsec SA will be synchronized? In case of failover will the secondary firewall continue to pass the traffic over the tunnel or it needs first to re-establish the SAs?

hi @Alexander.Astardzhiev


The ike/ipsec parameters will be identical between both peers: for the remote peer they appear as one single system, so there is no need to configure a secondary tunnel to accommodate failovers (upon failover, the exact same tunnel will be renegotiated)


the SA are not synchronized so the tunnel will need to be renegotiated if a failover occurs