High availability (HA) is a configuration in which two
firewalls are placed in a group and their configuration is synchronized
to prevent a single point of failure on your network. A heartbeat
connection between the firewall peers ensures seamless failover
in the event that a peer goes down. Setting up the firewalls in
a two-device cluster provides redundancy and allows you to ensure
business continuity. In an HA configuration on the VM-Series firewalls,
both peers must be deployed on the same type of hypervisor, have
identical hardware resources (such as CPU cores/network interfaces)
assigned to them, and have the set same of licenses/subscriptions.
For general information about HA on Palo Alto Networks firewalls,
see High Availability.
The VM-Series firewalls support stateful active/passive or active/active
high availability with session and configuration synchronization.
The active/active deployment is supported in virtual wire and Layer
3 deployments on some private cloud hypervisors, and is recommended only
if each firewall needs its own routing instances and you require
full, real-time redundancy out of both firewalls all the time. To
configure the VM-Series firewall as an HA pair, see Configure Active/Passive HA and Configure Active/Active HA.
If you are deploying the VM-Series firewall in the public cloud,
such as on the Amazon Web Services (AWS) or Azure, the traditional
HA architecture may not be as relevant because of the innate differences
in how resource or region redundancy is built into the cloud infrastructure
as compared to a private data center. So, to take advantage of native
cloud services and build a resilient architecture that maximizes