11-24-2025 10:13 AM
Hi Team,
1) After performing a failover test, we noticed that the internet was not working on the passive device, although the ping to 8.8.8.8 continued successfully.
2) The issue started after upgrading the firewall. Considering that the passive firewall may not have rebooted properly after the upgrade, we performed a hard reboot, but the issue persisted, the passive device still could not access the internet through the expected policy.
3) I reviewed the security policy which customer is using to access the internet and found that it works correctly on the active device, but the same policy does not work on the passive device after failover. On the passive device, we created a test security policy to access the internet and found that the internet was working fine without any issues.
4) We attempted to clear the old MAC address entries in the passive firewall through PuTTY and both firewalls are managed by Panorama. And device is also synchronized with the peer
Kindly help me to solve the issue
Model No:- PA 440
PANOS- 10.2.10-h9
Regards,
Chandrashekhar
11-24-2025 02:28 PM
@ChandrashekharD Do you see the hits on the rule for traffic going to internet on port 443?
Can you ping the website hostname from passive fw cli?
Is MGMT IP of the passive device able to ping the internet websites via hostname?
Does the upstream device learn the mac of the passive device?
From the passive device when it is active do this
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
