01-20-2026 01:05 AM
Hi,
Currently, the customer has a configuration where signature updates are performed on the passive device and then synchronized with the active device.
In this configuration, is it appropriate to perform signature updates on the active device?
Or what are the recommended settings for Palo Alto Active-Passive Mode?
Thank you.
01-20-2026 05:14 AM
Hi @Kyungsoo-Choi ,
I would first ask the customer to clarify how they believe content updates are being synchronized from the passive firewall to the active firewall, or to verify that this is actually happening. Content updates are NOT synchronized via HA. Only configuration elements (policies, objects, settings) are synchronized. Dynamic updates such as App-ID, Threat, AV, and WildFire are installed independently on each firewall.
From a best-practice standpoint, there’s no requirement to install content updates on the passive firewall first and then the active firewall. The recommended approach is to install content updates on both the active and passive firewalls so they remain on the same content version. This ensures consistent security enforcement and predictable behavior during a failover.
Using scheduled content updates (optionally with an install threshold) on both HA peers is the best way to keep them aligned. For example, Advanced WildFire is designed to provide near real-time threat protection, and best practice is to configure real-time WildFire updates. This ensures the firewall retrieves signatures for newly discovered malware as soon as they are published to the WildFire public cloud.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
