Palo Alto Core Firewall HA Active/Active


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L3 Networker

Palo Alto Core Firewall HA Active/Active

I have found some issues in running HA Actvice/Active as it relates to config sync. It appears when a red dot on the firewall and an Admin connects their default reaction is sync config. So I noticed that something that replicated to the active-secondary was BGP peer groups which caused my BGP peering to become broken on my secondary PA. So I decided that I may want to run these in Active/Active but "standalone" and use Panorama to manage the configuration on each device and make sure they are "in sync". I am not running these at the edge and my network is symetrical so active/active is a suitable design for my network. There are just some issues like I have mentioned that could cause issues. Anyone have similar issues? or thoughts?

Tags (1)
L0 Member

Not yet, but just about to deploy a pair of 5220's in a similar model, except these would be at the edge.


So I'm curious if there have been any other obvious issues you faced with A/A & BGP peering for e.g.?

L3 Networker

I am not sure I would be brave enough to try active-active at the edge, but in my core sure since I want to use routing protocols within my core network. 


I have decided to go back to an active-active HA config and just disable config sync so someone isnt tempted to sync the config. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!