HA Active/Active Mode with Multi VSYS

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

HA Active/Active Mode with Multi VSYS

L3 Networker

Hi All,


Is it possible to use a Multi-VSYS Palo Alto to have the active-primary on one Palo Alto and a second VSYS Active-Primary on the second Palo Alto in Active-Active HA mode. I've done this on Cisco Active-Active firewalls but I need to do this on a Palo Alto pair.






this sounds very similiar to my original setup and sometimes it worked and sometimes there were issues

Talking to a L3 and my se the office word from PA you need a different NAT pool on each device so NAT pool A on device A and NAT pool B on device B.


Not I spent 2-3 months working through issues about 2 years ago and again recently when i saw this post and thought about trying it again. But I'm back to A/P 😞


what i have is a set of routers to terminate the BGP and create a public network that is streatched between DC in front of the PA so that I can talk to all ISP from either PA.

If you aren't advertising BGP to your ISP's with address space that you own, DON'T USE ACTIVE/ACTIVE FOR INTERNET TRAFFIC.  It's really unclear what you are doing but it sounds like you are operating ACTIVE/ACTIVE like ACTIVE/PASSIVE.  If this is the case, why not just run ACTIVE/PASSIVE?  Or, if you really want to use both ISPs don't run HA at all.  Run each locations firewall independently and advertise your default route at both.  It sounds like you are making this more complicated than it needs to be.

Sorry not sure I gather the relevance.


I was running bgp and multiple upstreams and multipe DC. with streach vlans.  Basically L3 support and SE state A/A NAT doesn't work with 1 shared ip address. not supported.  

OK, I must have misunderstood.  Thank you.

  • 18 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!