12-12-2025 02:19 AM
I would like to deploy GP firewalls in Azure, I would like to configure 2 firewalls which are working active-active to have always some protection if one availability zone will have maintenance always second fw will handle the traffic. I was think to have 2 portals and 2 gateways, on 2 different Public IP which will be resolved on one DNS name. Did some one have similar configuration on Azure and deployed 2 Global Protect firewalls ? Or other solution which will cover HA in Azure for GP ?
12-12-2025 07:05 AM
Trying Active/Active HA in Azure for VM-Series — not the supported cloud pattern. Use A/P HA:
https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/set-up-the-vm-series-firewall-...
12-12-2025 07:30 AM
Thanks BorislavP for your comment, A/P HA in Azure could take 3min to failover. I would like to setup 2 firewalls without additional interface for HA as on premises/hardware appliances. This will be regular Azure deployment with 2 firewalls and 3 interfaces, public , private and mgmt.
https://www.paloaltonetworks.com/resources/guides/azure-transit-vnet-deployment-guide
But cannot find any guide for GP firewalls in Azure
12-12-2025 08:03 AM
Even though there is no single guide, this design is fully covered by the following official Palo Alto Networks documents:
VM-Series on Azure (deployment only)
Set Up the VM-Series Firewall on Azure
https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-deployment/set-up-the-vm-series-firewall-...
GlobalProtect – Multiple Gateways (this is the “HA guide”)
Configure Multiple GlobalProtect Gateways
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-quick-configs...
GlobalProtect Architecture overview
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-architecture
About GlobalProtect Gateways and Portals
https://docs.paloaltonetworks.com/globalprotect
12-13-2025 01:33 PM
Hello @bxbukows
similar topic came up in this thread: GlobalProtect Design Question. In nutshell you can solve this active / active scenario by building 2 VM Firewalls with all GP setting and let Azure Traffic Manager to distribute the load to each of the VM based on Traffic Manager's traffic routing method: Traffic Manager routing methods.
Kind Regards
Pavel
12-16-2025 12:50 AM
Thx PavelK, with this configuration both firewalls will have configuration GP gateway and Portal, I know on premise solution with one GP Portal and many GP Gateways. Not sure how to build 2 GP Portals, because I would like to have one Portal DNS name gp.company.com, when there will be 2 GP Portals not sure if there will be 2 different names, user need to configure on GP app Portal name, so it could be situation one Portal will be most occupied and second will be almost free?
12-17-2025 09:30 PM
Nebiw here. But Isn't the PA Global Protect kind of RAS or VPN, instead of Firewall? I thought GP was kind of device for VPN Gateway/Express Route, and PA VMSeries equivalent to azure firewall in Auzre landscape.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
