Palo Alto Core Firewall HA Active/Active

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto Core Firewall HA Active/Active

L3 Networker

I have found some issues in running HA Actvice/Active as it relates to config sync. It appears when a red dot on the firewall and an Admin connects their default reaction is sync config. So I noticed that something that replicated to the active-secondary was BGP peer groups which caused my BGP peering to become broken on my secondary PA. So I decided that I may want to run these in Active/Active but "standalone" and use Panorama to manage the configuration on each device and make sure they are "in sync". I am not running these at the edge and my network is symetrical so active/active is a suitable design for my network. There are just some issues like I have mentioned that could cause issues. Anyone have similar issues? or thoughts?


L0 Member

Not yet, but just about to deploy a pair of 5220's in a similar model, except these would be at the edge.


So I'm curious if there have been any other obvious issues you faced with A/A & BGP peering for e.g.?

I am not sure I would be brave enough to try active-active at the edge, but in my core sure since I want to use routing protocols within my core network. 


I have decided to go back to an active-active HA config and just disable config sync so someone isnt tempted to sync the config. 

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!