Sorry, for putting a question out there with not a lot of detail: So here are the details: We have active/active HA cluster We are monitoring the inside interface via link-monitoring feature and asking the firewall to failover when the interface goes down. When the inside interface goes down on any one of the nodes that firewall goes in tentative state and that is what we want. We are only concerned about the new sessions not the existing sessions. We have all new sessions for traffic coming from inside going to outside zone starting at the active firewall so the active firewall is the session owner and session setup firewall. Also we are forcing asymmetric return traffic so it comes back over the outside interface of the tentative firewall. The http, ping telnet all non encrypted traffic that is returning on the tentative firewall goes over HA3 to the active firewall and then to inside and we are good. We have issues with ssl and ssh (encrypted traffic), this traffic when it comes to the tentative firewall it does not go over the HA3 link to the active firewall. The tentative firewall offloads the traffic. The tentative firewall handle that this traffic and drops it as the inside interface is down and the only route in the routing table is default 0.0.0.0/0 route and tries to send it to the outside interface and as there is zone change it drops it. We are not decrypting traffic as customer has another device that handles it and does not want Palo Alto to do decryption. So the question I am posing to the community at large is to ask whether anyone has seen this and more importantly I have question that the expectation that the tentative firewall should not forward packets over any interface other than the HA interfaces is an unreasonable expectation? I do have an open case with Palo alto Support and I am told that it is by design and it is expected behavior!! I would agree that that this is expected behavior when the firewall is not in tentative state to allow efficient packet forwarding in layer 3 mode but this should not be the expected behavior when the firewall is in tentative state!! What do you guys think?? The explanation given by Palo Alto support is that it is layer 7 complete and therefore it does not send it over the session owner, but my contention is the reason we are failing over and have the firewall in tentative state is that we do not want this firewall to forward any packets over any interfaces other than the HA links. Just FYI we are just doing static routing on the firewalls that is what works for the customer. Thanks
... View more