HA questions

Showing results for 
Search instead for 
Did you mean: 

HA questions

Not applicable


I'm having trouble understanding how Active/Passive HA works in Palo Alto. In other solutions the active device has a virtual address on top of its physical interface address, and when the active device goes down the passive device 'takes over' by sending a garp notifying devices that it is now the virtual address receiver. I can find a floating IP address in Active/Active, but nothing in Active/Passive.



L6 Presenter

That is because the passive unit (to my knowledge) just ignores packets arriving on its dataplane interfaces (except for the case when you setup HA to use a dataplane interface).

4xxx and 5xxx boxes uses dedicated HA-interfaces to keep states etc between the boxes.

I have not dug into how the mac-address is being used in active/passive setup.

One of the reasons of using "floating ip" in active/passive setups is when the passive device will act as a L2 device for the active device who becomes the L3 unit. Thats how VRRP/HSRP works. Which gives that if a box incorrectly sends its packets to the passive unit the passive unit will forward the traffic to the active unit (given that you have setup vlans in between the units aswell) - PAN doesnt behave like this.


Thank you for your answer, but either I'm not understanding your answer or I didn't make myself clear. To give an example, Check Point firewalls allow you to set up cluster members to share an IP address, but only the active member receives and processes traffic to it. This is useful for next-hop addresses-set your downstream router to use the virtual ip address, and whichever gateway is the active member receives traffic to that address. When the primary gateway fails the secondary address takes over the virtuall ip address and begins to receive and process traffic destined to that address.

I cannot find a way to create this 'virtual' address in Palo Alto, and as such I don't understand how you would set a default gateway to an address if a HA cluster doesn't have a "floating" IP address.

Thank you again

Imagine that you use cold standby.

The active unit is the one with power currently turned on while the passive unit is just dead fish (no power sort of speak :smileysilly:).

The difference from cold standby when using active/passive with PAN is that the passive unit will at all times get the state table synchronized with the active unit. So once failover occurs it should be seamless for the clients and servers having flows through your active/passive cluster.

With the disclaimer that im not sure on how the mac-address is being used (to have really seamless transition the mac-address should be the same no matter which box is currently active otherwise a bunch of gratious arp (I think they are named) needs to be sent out to the surroundings which of course might bring you some dropped packets before the network stabilize).

I actually have the same question, or therefore lack of understanding as the fellow who originated the thread.  In an active / passive HA pair in Juniper SRXs, granted that's the only real type of HA they offer; I have to use the floating IP for address reachablility, a reth interface with is a logical collection of chassis seperated physical interfaces.  What is the deployment scenario with active passive and two different IP addresses?  Wouldn't I need inteligent routers both pre and post firewall, seems to me like that redundancy would require or benefit more from active active L3 with dynamic routing protocols.

Any light you could shed on this would be great...  And oh yeah, on an HA pair, it's possible to install a passive counterpart without factory resetting the active node right?  The administration guide would lead me to believe otherwsie as it's kinda telling you to factory both boxes.  I setup an HA active active pair with all appropriate interfaces and such, but when I tried to join the pair there was configuraiton overlaps and therefore it wouldn't take the configuration.  Pair was UP but out of SYNC.  Would be neat to understand the bare minimum requirements for HA setup, which Im sure Ill find if I continue to drive into the forums.  Thanks again!

Hi...We offer Floating IP address (i.e. virtual IP address) in Active/Active HA.  In Active/Passive HA, you only need to assign the IPs to the  Ethernet ports and those IPs will be replicated across both HA units.  The IPs will carry virtual MACs.  In the event of a failover, the passive unit will take over the IPs and issue gratutious ARP when it becomes active.

When you bring up HA, the 2 units may contain different configurations and their config will be out of sync.  You need to login to the unit with the chosen config ( the config you want to run), and issue a 'sync to remote' to copy its config onto its HA peer.  Make sure both units are the same models, same PANOS and content updates when you perform the 'sync to remote'.


Thanks for the clarification on active passive, I can just use either or for the IP address as a default gateway then for a network?  That's cool.

Got HA working active active last night defaulting my standby and doing some CLI via a console server, IMO well worth it.

Thanks again!

P.S.  If you know off hand...  Is there a "load merger terminal", "show | compare rollback X" equivalent in PANOS?

My comments inline:

Thanks for the clarification on  active passive, I can just use either or for the IP address as a default  gateway then for a network?  That's cool.

Correct.  You can use the IP address as the default gateway.

Got HA working active active last night defaulting my standby and doing some CLI via a console server, IMO well worth it.

Make sure you connect HA2 and HA3 using crossover cables.  HA1 can be straight-thru cable as it carries very little traffic.  Also, enable 'heartbeat backup' to send heartbeats across the mgt ports for redundancy.

Thanks again!

P.S.  If you know off hand...  Is there a "load merger terminal", "show | compare rollback X" equivalent in PANOS?

You can manually merge the configs.  My suggestion is to change the CLI config output to set commands, then show the config, copy the set commands, and paste the commands to the new unit.

> set cli config-output-format set

> configure

# show rulebase security


You can compare configs using the 'Config Audit' function in the GUI under Device ==> Config Audit.  Thanks.

Hi, thank you for your answer. There is only one thing I'm still not sure about-lets says I have two PA 2020s and I put the IP address on the first and on the second and then join them in an HA cluster and sync policies. When the primary device goes down, does the secondary device take over and or does it replace with


As far as I know when you use active/passive it will be the same configuration in both.

Meaning both devices will have but the one who is passive will have its interface "shutdown" until it detects that current active device is long gone... then it will turn on its interface and send out gratious arp so switches and closeby devices will update their mac-address tables.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!