VM-Series in High Availability

High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration is synchronized to prevent a single point of failure on your network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up the firewalls in a two-device cluster provides redundancy and allows you to ensure business continuity. In an HA configuration on the VM-Series firewalls, both peers must be deployed on the same type of hypervisor, have identical hardware resources (such as CPU cores/network interfaces) assigned to them, and have the set same of licenses/subscriptions. For general information about HA on Palo Alto Networks firewalls, see High Availability.
The VM-Series firewalls support stateful active/passive or active/active high availability with session and configuration synchronization. The active/active deployment is supported in virtual wire and Layer 3 deployments, and is recommended only if each firewall needs its own routing instances and you require full, real-time redundancy out of both firewalls all the time. To configure the VM-Series firewall as an HA pair, see Configure Active/Passive HA and Configure Active/Active HA.
If you are deploying the VM-Series firewall in the public cloud, such as on the Amazon Web Services (AWS) or Azure, the traditional HA architecture may not be as relevant because of the innate differences in how resource or region redundancy is built into the cloud infrastructure as compared to a private data center. So, to take advantage of native cloud services and build a resilient architecture that maximizes uptime, see
Features/ Links Supported
ESX
KVM
SDX
AWS
NSX
Hyper-V
Azure
Active/Passive HA
Yes
Yes
Yes
Yes
No
Yes
No
Active/Active HA
Yes
Yes
Yes
No
No
Yes
No
HA 1
Yes
Yes
Yes
Yes
No
Yes
No
HA2—(session synchronization and keepalive)
Yes
Yes
Yes
Yes
No
Yes
No
HA3
Yes
Yes
Yes
No
No
Yes
No

Related Documentation