HA Overview
You can set up two Palo Alto Networks firewalls as an
HA pair; the HA peers should use the same version of PAN-OS and
the same content version. HA allows you to minimize downtime by
making sure that an alternate firewall is available in the event
that the peer firewall fails. The firewalls in an HA pair use dedicated
or in-band HA ports on the firewall to synchronize data—network,
object, and policy configurations—and to maintain state information.
Firewall-specific configuration such as management interface IP
address or administrator profiles, HA specific configuration, log
data, and the Application Command Center (ACC) information is not
shared between peers. For a consolidated application and log view
across the HA pair, you must use Panorama, the Palo Alto Networks
centralized management system.
When a failure occurs on a firewall in an HA pair and the peer
firewall takes over the task of securing traffic, the event is called
a
Failover.
The conditions that trigger a failover are:
Palo Alto Networks firewalls support stateful active/passive
or active/active high availability with session and configuration
synchronization with a few exceptions:
On AWS, when you deploy the firewall
with the Amazon Elastic Load Balancing (ELB) service, it does not
support HA (in this case, ELB service provides the failover capabilities).
The VM-Series firewall on Google Cloud Platform does not
support HA.