Hi @OMatlock Here are a few tips from the field that may be of assistance to you. Control Link (HA1) Monitor Hold Time To monitor the health of the Primary HA1 interface, an additional “Monitor Hold Time” timer is used to detect a failed Primary HA1 condition. If three heartbeats or hello messages are missed between the HA devices, the HA1 Monitor Hold Time will be consulted to determine the amount of time the HA device should wait before declaring a failed Primary HA 1 connection. The default is 3000 ms. Once a failed Primary HA1 condition has occurred, the units will log the appropriate information into the system logs and failover to the Backup HA1 or Management interface—depending on how the HA1 backup is configured. Recommendation: If you have a Backup HA1 interface configured, lowering this value will allow a faster failover to the backup HA1 links. Leaving the value at the default of 3000 ms is recommended for most HA implementations. The range for the HA1 Monitor Hold Time is 1000 to 60000 ms. I personally cut this time in half and put 1500 ms instead. Passive Link State Auto Configuration (A/P) An important fact to consider when designing an Active/Passive HA architecture is the traffic forwarding links on the passive device defaults to a “Shutdown” state. In the shutdown state, upstream and downstream devices connected to the passive device will not see a valid path until the passive firewall becomes active. The Passive Link State Auto Configuration feature allows you to bring up the passive device’s traffic forwarding links to reduce the failover time. It does this by bringing the interfaces on the firewall to a “link up” state, but blocks inbound and outbound traffic to the interfaces until the passive unit becomes active. This helps to reduce failover times by eliminating the need to go through port learning and negotiation phases right after a failover to the passive device and can reduce failover times by approximately one to two seconds. The Passive Link State Auto Configuration setting is enabled under Device > High Availability > Election Settings. The Passive Link State defaults to “Shutdown” and should be set to “Auto” to facilitate faster failover times and to force the link status of the neighboring devices to be in the “link up” state. When the Passive Link State is set to “Auto”, the HA device in the “passive” state will not forward traffic or respond to ARP requests. I like this option, because we are able to avoid the gratuitous ARP delay with up and downstream devices. If you set the passive link state to "Shutdown", you will notice that the standby appliance will have all its ports in in shutdown state; hence, delaying the failover due to the ARP responses. For more details, refer to the following link: https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/543/2/HA_Failover_Optimization-RevC.pdf As for your DNAT rules, the only advise I always give to my clients is to ensure that they do not have Proxy-ARP configured in the upstream switch or router. If they do, I always advise to either change it accordingly a few minutes prior to the cutover start time and then clear the MAC address table, or in some cases completely remove it if at all possible. In some cases because the upstream switch or router is not managed by the client, they will need to open a case with their ISP, which may delay your cutover window, so, having this figured out beforehand is always best practice. Another advise as well, is to open a proactive case with Palo Alto eTAC support, informing basic details of the activity that you will be performing. This helps to speed up support if you call out of the blue because you are having issues or questions, so you don't have to explain things from the very beginning. That was an advise from one of the Palo Alto SEs in my region, and I have been very successful in doing so. Of course in 90% of the time you never even ended up calling them, but better safe than sorry. I hope it helps. Willian
... View more