>
    Strata Copilot
    Set up Active/Passive HA on Google Cloud Platform
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Google Cloud Platform
    4. Set up Active/Passive HA on Google Cloud Platform
    Download PDF
    VM-Series

    Set up Active/Passive HA on Google Cloud Platform

    Table of Contents

    Set up Active/Passive HA on Google Cloud Platform

    Configure a pair of VM-Series firewalls hosted in the GCP in an active/passive high availability (HA) configuration.
    Where Can I Use This?What Do I Need?
    • Google Cloud Platform (GCP)
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for GCP
    You can configure a pair of VM-Series firewalls hosted in Google Cloud Platform (GCP) in an active/passive high availability (HA) configuration. For HA on GCP, you must deploy both firewall HA peers within the same Resource Group and you must install the same version of the VM-Series Plugin on both HA peers.
    Deploying an Active/Passive high availability pair of VM-Series firewalls hosted in GCP provides benefits such as:
    • Synchronization across all Palo Alto Networks configuration.
    • Stateful synchronization between instances to maintain state on failover.
    • Controlled HA failover in approximately 3 seconds.
    The architecture is very similar to the traditional Load Balancer(LB) architecture recommended for GCP in which the external LB points manages the untrust traffic and an internal LB manages the trust/egress or east-west traffic.
    The VM-Series firewalls are deployed as an active/passive pair and the HA2 interface is dedicated to the HA2 interface of the VM-Series firewall on NIC 3.
    The HA setup on GCP supports connection tracking, which tracks the connection between an external client server through the external LB to the backend of the firewall. During a firewall failover, the LBs carry over the connections to the secondary firewall (which now becomes active) without any disruptions.
    The internal LBs (backend pool) are set to active/active, but the standby firewall won't process any traffic. The LBs perform a health-check and if they realize that the active firewall is down and the standby firewall is now active, they run a health check on the new active firewall. The traffic is now distributed over the firewall, which has now become active.
    Note: GCP HA supports interface connection tracking. However, in situations beyond interfaces (such as having rules in the Google infrastructure to stop health checks), LB health checks are not tracked as a part of HA transition.
    The following are the use cases for deploying HA in GCP:
    • IPSec termination of site-to-site VPNs.
    • Legacy applications that need visibility of the original source client IP (No SNAT solution) for inbound traffic flows.
    • Requirements for session failover on failure of the VM-Series firewall.

    © 2026 Palo Alto Networks, Inc. All rights reserved.