High Availability question

Showing results for 
Show  only  | Search instead for 
Did you mean: 

High Availability question

L0 Member

Hi all,


This is my first post on this forum. I am also a brand new Palo Alto customer and we just purchased a pair of 3220 firewalls.


As the subject says my question revolves around HA as I would like to start putting together a plan for design and deployment.


My question is probably really stupid but I just want a bit of clarification on how an active/passive deployment works, as opposed to active/active.


After reading around i can see that active/passive is the favoured option, even by Palo Alto. 


Having read this documentation: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-1/pan-os-admin/pan-os-adm...

where it says:

Active/Passive— One firewall actively manages traffic while the other is synchronized and ready
to transition to the active state, should a failure occur

I'm a little unsure what this means, does that mean that no traffic will pass through the passive firewall? Or, will both firewalls process traffic but only the active firewall "manages" the traffic with policies?


To add a little context, we have 2 connections out to the internet each of which is being protected by it's own firewall. Both connections are to the same ISP. In our current setup the two firewalls are managed independently and have their own policies.


Where i want to be however when we replace our existing firewalls with our new Palo Alto's is to cluster the two devices, i.e. the same policies replicated across both firewalls. But obviously i don't want to end up in a situation where we have an internet connection with zero traffic utilization where the passive device will be, and it only gets utilized when the primary active firewall fails.


The connection between the two firewalls internally are all L3. I was informed by our PA partner SE that in order to achieve active/passive I will need to convert our L3 internal WAN links to L2. I am not too keen on doing that unless i absolutely need to.


It was also suggested to look at investing in Panorama to overcome the issue of managing and replicating both firewalls centrally - but according Palo Alto this product only becomes useful for managing 6 appliances or more, so not sure if this solution might be a little overkill for us.


From what i've been reading active/active is only beneficial for when you have asymmetric routing, which we don't have.


If anyone can advise i would be grateful and sorry again for my questions... Palo Alto is new to me and this would also be my first time configuring HA for firewalls.




L2 Linker

In active/passive they are essentially copies of each other. The passive does not take over until the primary fails, when this happens the passive sends a gratuitous arp saying you're sending traffic to me now. They also have the same virtual mac address so when a firewall fails no device should notice the difference as it's the same IP and mac from their perspective. 


Active/passive is much easier from a management perspective. Active/active can make troubleshooting much more cumbersome. Panorama is really great with our 60+ firewalls, but if you have less than 6 devices it isn't worth the investment.


You should be able to use the same internet connection for both as the passive ports are not up until it becomes active. What we do to achieve this is either having two connections coming directly off the modem into the firewalls. Or if we can only have one connection we connect it to one of our switches and split if from there into our active/passive firewalls. 

Network Administrator

Cyber Elite
Cyber Elite

Hi @Mushussu,


Let me takes the questions one at a time.  I will not post URLs now because of the many points.  Most can be easily Googled.


  1. No traffic will pass through the passive firewall.
  2. Each firewall will need a separate connection to each Internet connection.
  3. Each firewall will need ECMP enabled to load balance traffic out both Internet connections.
  4. In the event of failover, the passive becomes active with the same MACs and IP addresses.  The active becomes passive.  So, the same interfaces on the HA pair will need to be in the same L2 subnet.  This applies to active/active also.
  5. Panorama is not needed for a HA pair because the configuration is synced between the two.
  6. If, the firewalls are in different locations with L3 routing between the locations, you could invest in Panorama to centrally manage the configuration.  You would not setup HA between the two, but would rely upon routing convergence for HA.

Hope this helps,



Help the community: Like helpful comments and mark solutions.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!