I tried to upgrade the Palo firewall HA (Active-Passive). But when I failover active to passive, we cannot access the GUI on both firewall. Before I failover, I check the passive cannot reach to updates.paloaltonetworks.com.
After I failover, I tried to connect throught CLI and passive (which it became active) can reach to updates.paloaltonetworks.com. And active(which it became passive), cannot reach to updates.paloaltonetworks.com.
Is this the cause that we cannot access the GUI via internet?
Need your guys help on this. Thank you.
From what you've described it sounds like you aren't using the management interface and you have a management profile setup on a loopback interface or another dataplane interface. Likewise, it sounds like you have a service route configured on the device, which would make sense if you don't have the management interface connected.
If that's the case everything you described in your post makes sense. Service routes through dataplane resources aren't going to be accessible unless the device has the active role. Likewise access to the passive device isn't going to function if you are using a management profile on a dataplane interface. It sounds like everything you've described to this point is expected behavior working under the assumption that I've stated above.
If you actually have the management interface plugged in on both devices and you aren't using service routes, please report that. I'm making some assumptions based off of what you've said that may not be correct, but account for the behavior that you're reporting.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!