Active/passive vs active/active recommendations

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active/passive vs active/active recommendations

L1 Bithead



We are about to work on a Paloalto cluster deployment, which will be sitting next to the internet (we will have two separate providers) and we need to make the decision whether we configure it as A/A or A/P.

I keep reading in quite some places (forums and so) that A/P is Paloalto preferred way. That is also my first option, but I would like to have some official documentation to support that decision. Does anyone know where I can find such documentation from Paloalto, where they discuss A/P against A/A?

(I have been able to find the technical documentation of each of the cases, as well as their requirements, but not a specific discussion detailing kind of pros and cons of each of them).



Thanks a lot in advance



L4 Transporter

Not sure you will find any documented reasons but basically..


You don't gain much from A/A other than more throughput during normal running, but your not running N+1 so if one FW dies your under capacity. The added complexity also makes it far more difficult to implement successfully.


Hence a properly sized A/P N+1 is the recommended.

Are you utilizing any dynamic routing protocols with you service providers (and internally)?  You might want to consider A/A.  What you will learn is this can be very beneficial but will require a lot of setup on you part with a good working knowledge of BGP/OSPF/etc.


No dynamic routing protocols on either side?  Stick with A/P.

L6 Presenter

@jorgebarba wrote:



We are about to work on a Paloalto cluster deployment, which will be sitting next to the internet (we will have two separate providers) and we need to make the decision whether we configure it as A/A or A/P


Thanks a lot in advance


In our deployment we have 3 independent  ISPs across 2 DCs and we run A/P.  As others have stated an A/A deployment is primarily about throughput.  If you become reliant upon that second firewall's throughput then when you upgrade or a failure occurs you're environment is now degraded in an A/P deployment you're at N+1 which makes for a much more stable environment.

L1 Bithead

Thanks all for the replies.

@jeremy.larsen, indeed we will be running BGP to the internet and (most likely) OSPF internally. But the point is that I do not really see those benefits anyway, in setting the cluster up as A/A. Or say it other way, I do not see any potential benefit that would pay off the rather important increase in complexity (not that it is an issue itself, but it also would complicate any troubleshooting when the time comes, for the NOC and so).


Again, thanks all for providing your inputs. That's kind of what I am looking for, to gather a list of pros and cons of each of the two options, to make the final decision.



I've done both.  A/A is definitely cool but requires a lot of planning and a deep understanding of what you are doing.  If you want BGP to handle the failover for inbound services (ie: website, etc) then A/A is the way to go.  Or you can drop HA and use Load Balancers to handle your firewalls and all the routing decisions.  If you have something like an F5 handing failover using DNS and no IPs are getting moved between locations, then use good 'ole A/P and call it a day.


- Just my 2 cents


The big thing to consider is asymentric routing. If you have the need then A/A, if not then A/P.





Sorry I didn't state this in my previous post.

L1 Bithead

Thanks all again for your input.

In fact, I think I still opt more for the A/P solution but we will explore the two options in our particular environment and will decide.




  • 8 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!