In an HA active/active configuration, both firewalls
are active simultaneously, which means packets can be distributed
between them. Such distribution requires the firewalls to fulfill
two functions: session ownership and session setup. Typically, each
firewall of the pair performs one of these functions, thereby avoiding race
conditions that can occur in asymmetrically routed environments.
You configure the session owner of sessions to be either the
firewall that receives the First Packet of a new session from the
end host or the firewall that is in active-primary state (the Primary
device). If Primary device is configured, but the firewall that
receives the first packet is not in active-primary state, the firewall forwards
the packet to the peer firewall (the session owner) over the HA3
The session owner performs all Layer 7 processing, such as App-ID,
Content-ID, and threat scanning for the session. The session owner
also generates all traffic logs for the session.
If the session owner fails, the peer firewall becomes the session
owner. The existing sessions fail over to the functioning firewall
and no Layer 7 processing is available for those sessions. When
a firewall recovers from a failure, by default, all sessions it
owned before the failure revert back to that original firewall;
Layer 7 processing does not resume.
If you configure session ownership to be Primary device, the
session setup defaults to Primary device also.
Palo Alto Networks recommends setting
the Session Owner to First Packet and the Session Setup to IP Modulo
unless otherwise indicated in a specific use case. Setting the Session
Owner to First Packet reduces traffic across the HA3 link and helps
distribute the dataplane load across peers.
Setting Session Owner and Session Setup to Primary Device
causes the active-primary firewall to perform all traffic processing.
You might want to configure this for one of these reasons:
are troubleshooting and capturing logs and pcaps, so that packet
processing is not split between the firewalls.