Does PA fail closed by default?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does PA fail closed by default?

L0 Member

I'll be darned if I can find any documentation that speaks to if/how interfaces are configured to fail closed if there's a system or interface issue.

Does anyone have a URL that talks to this?

 

Thanks, Jeff

 

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello @jbankstonfla

 

could you please provide more details about scenario of failure? Without knowing details of your question, my general reply would be as below:

 

- If you mean a support for "bump in the wire" where interfaces will support hardware relay to allow flowing of traffic in the case of hardware failure, then this is not supported with Palo Alto, so default is fail close.

 

- Best practice is to build an HA pair to fail over in the case interface or system goes down. If an interface goes down and interface tracking is enabled under HA, the other Firewall in the HA pair will take it over. If entire system goes down, then based oh heartbeat failover will take place. 

 

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hello,

From the last few cases I posted to TAC regarding this, there is no documentation. So to satisfy the auditors, I create a TAC case with the question. Then use the TAC case number and their response as the artifact/documentation.

The gov auditors accept this answer.

Regards,

  • 1504 Views
  • 2 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!