For redundancy, deploy your Palo Alto Networks next-generation
firewalls in a high availability
configuration. There are two HA deployments:
active/passive—In this deployment, the active peer continuously
synchronizes its configuration and session information with the
passive peer over two dedicated interfaces. In the event of a hardware
or software disruption on the active firewall, the passive firewall
becomes active automatically without loss of service. Active/passive
HA deployments are supported with all interface modes: virtual-wire,
Layer 2 or Layer 3.
active/active—In this deployment, both HA peers are active
and processing traffic. Such deployments are most suited for scenarios involving
asymmetric routing or in cases where you want to allow dynamic routing
protocols (OSPF, BGP) to maintain active status across both peers.
Active/active HA is supported only in the virtual-wire and Layer
3 interface modes. In addition to the HA1 and HA2 links, active/active
deployments require a dedicated HA3 link. HA3 link is used as packet
forwarding link for session setup and asymmetric traffic handling.
an HA pair, both peers must be of the same model, must be running
the same PAN-OS and Content Release version, and must have the same
set of licenses.
In addition, for the VM-Series firewalls,
both peers must be on the same hypervisor and must have the same
number of CPU cores allocated on each peer.