Device Priority and Preemption
Focus
Focus
Next-Generation Firewall

Device Priority and Preemption

Table of Contents

Device Priority and Preemption

Learn how Palo Alto Networks NGFWs use device priority and preemption to assign HA roles.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
For Strata Cloud Manager managed NGFWs:
  • Strata Cloud Manager Pro
In high-availability (HA) firewall pairs, device priority and preemption work together to determine which firewall acts as the primary, or active, unit. These settings are crucial for managing failover behavior and ensuring consistent traffic flow
The firewalls in an Active-Passive HA pair can be assigned a device priority value to indicate a preference for which firewall should assume the active role. If you need to use a specific firewall in the HA pair for actively securing traffic, you must enable the preemptive behavior on both the firewalls and assign a device priority value for each firewall. The firewall with the lower numerical value, and therefore higher priority, is designated as active. The other firewall is the passive firewall. When both firewalls are healthy and online, the one with the highest priority will assume the active role. If both firewalls have the same priority, other factors like the MAC address of the HA link may be used as a tie-breaker.
The same is true for an Active-Active HA pair; however, the device ID is used to assign a device priority value. Similarly, the lower numerical value in device ID corresponds to a higher priority. The firewall with the higher priority becomes active-primary and the paired firewall becomes active-secondary.
By default, preemption is disabled on the firewalls and must be enabled on both firewalls. When enabled, the preemptive behavior allows the firewall with the higher priority (lower numerical value) to resume as active or active-primary after it recovers from a failure. When preemption occurs, the event is logged in the system logs.