PAN 3220 setup query

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN 3220 setup query

L0 Member

Hello community, first time poster here but I am reasonably new to the palo alto world! I could use some assistance.


We have 2 new PAN 3220 firewalls and I have one that is already configured and is connected to our ISP and I would like to connect the second firewall to the same ISP. We have two ports on our ISP router and was wondering if it is possible to connect each firewall to each ISP connection? Would there be any issues in doing this or any issues this would cause? I've read somewhere that ISPs by default do not allow this but the end goal would be to have the firewalls working in Active/Passive so only the primary would be routing at one time (or so i understand).  I should also mention that our WAN IPs is only a /30 from our ISP


I had tried to connect the ISP connection to a temp L2 switch and added both firewall ports and the ISP port into the same VLAN but when both ISPs had the connection traffic was being regularly dropped from the first firewall. The HA cables were connected at the time but not configured, would this have caused the issue? Do you require internet connectivity when setting up HA between the devices?


Apologies if this is lots of questions but I am very confused 🙂 I would appreciate the assistance. Thanks!







L4 Transporter

Hello @PearsonSamuel , good afternoon.


I understand you have your two PA-3220. So first you must have as a prerequisite to set up your HA all the connections mirrored, that is, if you want everything to operate correctly when a fail-over condition occurs and the secondary equipment to assume the role of active must be all properly connected in both the main and secondary (Physical / Logical).


First, connection or connections HA1/HA2, for connectivity at HA level. Then if we think of a simple environment, a network/Zone trust, which is facing your LAN(s) and another towards the WAN or Untrust, it should also be mirrored.


Then consider a basic L2 switch, and connect a cable from the WAN of the active Firewall-PA to the basic L2 switch and connect the Passive to that same switch, then connect the switch against your ISP link.


The active assumes connectivity and maintains session synchronization with the secondary via the HA2 connection. If fail-over occurs the passive firewall assumes the role of the active and connectivity in its entirety.

For services such as administration, consider that each firewall has or will have its own access through the MGT, the interface for management and administration, and for the connection to the Internet for update downloads, signatures, license refresh, among others.


Similar to the LAN, in terms of logical/physical connectivity.

Important: Remember that the Active Firewall synchronizes all its network values to the Passive Firewall. So you do not need to configure exactly particular values on the secondary, it synchronizes from the active to the passive.





High Sticker

L0 Member

Hi @Metgatz - thanks for your input it really helped. Sorry for the delay in my response! 


Kind regards,


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!