Palo Alto Networks recommends deploying Panorama in an HA configuration so that the Panorama peer
continues to receive IP address updates in the event of a failure. If you deploy
a single instance of Panorama, in the event of a failure the traffic from any
existing applications pods are not impacted, and the current policies are
enforced on the CN-NGFW pods. When a new pod comes up, all the rules with the
source "ANY" will match to this new pod, and traffic from this new pod will be
allowed or blocked depending on your policy rules. For example, if there is an
Anti-Spyware policy rule to block outbound access from
any
source to the
outside world, then this rule will apply to the new pod, and the profile can
secure traffic. If there is a default
Deny
rule, then traffic from this
new pod will be denied.