Agreed, don't think of Active/Active as Active Primary and Active Secondary. Think of them as equal partners both able to process or hand off the same traffic simultaneously. If you really want to do any kind of traffic management and push certain traffic one direction or the other, you need to do this with your routing protocols and NOT a setting on the firewall. Usually this is done by using Anycast with your default gateway so that two physically disparate locations will prefer the Firewall closest to them and not have to traverse or hairpin through come kind of site-to-site interconnect. Does this help? PS - I love PAN's Active/Active implementation but I only consider it for very specific use cases. If your firewalls are stacked together at the same location, you most likely should be using Active/Passive instead. The goal of Active/Active is NOT to increase throughput. If this is the mindset you are taking, you will most likely be VERY disappointed.
... View more