HA Overview
You can configure two Palo Alto Networks firewalls as
an HA pair or configure up to 16 firewalls as peer members of an
HA cluster. The peers in the cluster can be HA pairs or standalone
firewalls. HA allows you to minimize downtime by making sure that
an alternate firewall is available in the event that a peer firewall
fails. The firewalls in an HA pair or cluster use dedicated or in-band
HA ports on the firewall to synchronize data—network, object, and
policy configurations—and to maintain state information. Firewall-specific
configuration such as management interface IP address or administrator
profiles, HA specific configuration, log data, and the Application
Command Center (ACC) information is not shared between peers.
When a failure occurs on a firewall in an HA pair or HA cluster
and a peer firewall takes over the task of securing traffic, the
event is called a
Failover.
The conditions that trigger a failover are:
Palo Alto Networks firewalls support stateful active/passive
or active/active high availability with session and configuration
synchronization with a few exceptions:
On AWS, when you deploy the firewall
with the Amazon Elastic Load Balancing (ELB) service, it does not
support HA (in this case, ELB service provides the failover capabilities).
The VM-Series firewall on Google Cloud Platform does not
support HA.