Break up Active/Passive HA Cluster

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Break up Active/Passive HA Cluster

L0 Member



we have a PA-3020 Active/Passive HA Cluster.


Because of cost cutting I have to break up our cluster and just use one of the firewalls as standalone. The thing is, the license of the passive firewall will last longer than the one from the active. The goal is to use the passive firewall as standalone and to factory reset the active so it can be used as cold spare ... or you know, as paperweight.


Is this the right procedure to break up the Active/Passive HA Cluster correctly and use the passive as standalone firewall:

- Config Backup from active and passive

- Disable preemptive failover

- Manual failover to the passive firewall so that it becomes the active

- Shut down the formerly active (now passive) firewall

- Disable Config Sync and disable HA

- Commit the configuration

- Strip the HA links between the firewalls and everything else from the formerly active (now passive)

- Factory reset the formerly active (now passive) firewall (via direct connection Notebook <-> Mgmt port firewall)

- Pray there are no problems in the future


Is this correct or is there another/better way to do this?


Best regards,

J. Veentjer



Cyber Elite
Cyber Elite

I'll work on actually putting this into one script that is sanitized and doesn't have any abnormal dependencies specific to any set environment or anything like that. Likely won't have time to get to this until this weekend.


Essentially the only thing that the actual script needs to do is take the configuration from the "primary" firewall and replace everything between <deviceconfig> and </deviceconfig> and replace it with the copy meant for the "backup" firewall.

The way that I've chosen to do this is using the configuration file as a jinja template and merging the stored "backup" deviceconfig file to create a full and working configuration file. Then you simply upload the updated configuration file to the "backup" device and it has the updated configuration from the "primary" firewall on a daily basis. 


Configuration File Example:

        {% include [deviceconfig] %}

 Render Example

from jinja2 import Environment, FileSystemLoader
output_file = ('/tmp/new-config.xml') #Rendered file output#
log_collector.debug("Setting output_file variable: " + str(output_file))
file_loader = FileSystemLoader('/Palo-Alto/Configurations/PA-5220/Jinja2/') #Where are the files#
log_collector.debug("Setting FileSystemLoader: " + str(file_loader))
# Load Environment #
env = Environment(loader=file_loader)
log_collector.debug("Utilizing template Config-Files/Palo-Alto/Configurations/PA-5220/Jinja2/deployed-config.xml")
template = env.get_template('deployed-config.xml') #Gathers Template File#
# Render #
log_collector.debug("Rending template: deviceconfig variable: 'backup-firewall/deviceconfig.xml'")
output = template.render(deviceconfig='backup-firewall/deviceconfig.xml') #Renders the template#
save_file_f = open(output_file, 'w')


The thing to keep in mind here is that you won't want to have anything plugged into the "backup" firewall dataplane unless you have those associated interfaces shutdown. Replacing the deviceconfig will allow you to maintain management access to the "backup" firewall while keeping the relevant configuration updated. You'd also want to ensure the master key is the same between both units, but since you'd be breaking HA that'll already be the case.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!