End-of-Life (EoL)
High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration is synchronized to prevent a single point of failure on your network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up the firewalls in a two-device cluster provides redundancy and allows you to ensure business continuity. In an HA configuration on the VM-Series firewalls, both peers must be deployed on the same type of hypervisor, have identical hardware resources (such as CPU cores/network interfaces) assigned to them, and have the set same of licenses/subscriptions. For general information about HA on Palo Alto Networks firewalls, see High Availability.
The VM-Series firewalls support stateful active/passive or active/active high availability with session and configuration synchronization. The only exceptions are the following:
The VM-Series firewall in the Amazon Web Services (AWS) cloud supports active/passive HA only. For details, see High Availability for VM-Series Firewall in AWS. HA is not relevant for the VM-Series NSX Edition firewall.
The active/active deployment is supported in virtual wire and Layer 3 deployments, and is only recommended for networks with asymmetric routing.
Features/ Links Supported ESX KVM SDX AWS NSX Hyper-V Azure
Active/Passive HA Yes Yes Yes Yes No Yes No
Active/Active HA Yes Yes Yes No No Yes No
HA 1 Yes Yes Yes Yes No Yes No
HA2—(session synchronization and keepalive) Yes Yes Yes Yes No Yes No
HA3 Yes Yes Yes No No Yes No
For instructions on configuring the VM-Series firewall as an HA pair, see Configure Active/Passive HA and Configure Active/Active HA.

Recommended For You