High Availability
Focus
Focus
Next-Generation Firewall

High Availability

Table of Contents

High Availability

Learn how high availability provides redundancy and synchronization between firewalls to prevent a single point of failure.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Strata Cloud Manager)
  • NGFW (Managed by PAN-OS or Panorama)
For Strata Cloud Manager managed NGFWs:
  • Strata Cloud Manager Pro
High availability (HA) is a deployment in which two firewalls are placed in a group or up to 16 firewalls are placed in an HA cluster and their configuration is synchronized to prevent a single point of failure on your network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up HA provides redundancy and allows you to ensure business continuity.
You can configure two Palo Alto Networks firewalls as an HA pair or configure up to 16 firewalls as peer members of an HA cluster. The peers in the cluster can be HA pairs or standalone firewalls. HA allows you to minimize downtime by making sure that an alternate firewall is available in the event that a peer firewall fails. The firewalls in an HA pair or cluster use dedicated or in-band HA ports on the firewall to synchronize data—network, object, and policy configurations—and to maintain state information. Firewall-specific configuration such as management interface IP address or administrator profiles, HA specific configuration, log data, and the Application Command Center (ACC) information is not shared between peers.
For a consolidated application and log view across an HA pair, you must use Panorama, the Palo Alto Networks centralized management system. See Context Switch—Firewall or Panorama in the Panorama Administrator’s Guide. Consult the Set Up Active/Passive HA and Set Up Active/Active HA. It is highly recommended that you use Panorama to provision HA cluster members. Consult the HA Clustering Best Practices and Provisioning.
When a failure occurs on a firewall in an HA pair or HA cluster and a peer firewall takes over the task of securing traffic, the event is called a Failover. The conditions that trigger a failover are:
Palo Alto Networks firewalls support stateful active/passive or active/active high availability with session and configuration synchronization with a few exceptions:
  • The VM-Series firewall on Azure and VM-Series firewall on AWS support active/passive HA only.
    On AWS, when you deploy the firewall with the Amazon Elastic Load Balancing (ELB) service, it does not support HA (in this case, ELB service provides the failover capabilities).
  • The VM-Series firewall on Google Cloud Platform does not support HA.