You can set up two Palo Alto Networks firewalls as an HA pair; the HA peers should use the same version of PAN-OS and the same content version. HA allows you to minimize downtime by making sure that an alternate firewall is available in the event that the peer firewall fails. The firewalls in an HA pair use dedicated or in-band HA ports on the firewall to synchronize data—network, object, and policy configurations—and to maintain state information. Firewall-specific configuration such as management interface IP address or administrator profiles, HA specific configuration, log data, and the Application Command Center (ACC) information is not shared between peers. For a consolidated application and log view across the HA pair, you must use Panorama, the Palo Alto Networks centralized management system.

When a failure occurs on a firewall in an HA pair and the peer firewall takes over the task of securing traffic, the event is called a Failover. The conditions that trigger a failover are:

You can use Panorama to manage HA firewalls. See Context Switch—Firewall or Panorama in the Panorama Administrator’s Guide.

Palo Alto Networks firewalls support stateful active/passive or active/active high availability with session and configuration synchronization with a few exceptions:

After you understand the HA Concepts, proceed to Set Up Active/Passive HA or Set Up Active/Active HA.