You can configure two Palo Alto Networks firewalls as an HA pair or configure up to 16 firewalls as peer members of an HA cluster. The peers in the cluster can be HA pairs or standalone firewalls. HA allows you to minimize downtime by making sure that an alternate firewall is available in the event that a peer firewall fails. The firewalls in an HA pair or cluster use dedicated or in-band HA ports on the firewall to synchronize data—network, object, and policy configurations—and to maintain state information. Firewall-specific configuration such as management interface IP address or administrator profiles, HA specific configuration, log data, and the Application Command Center (ACC) information is not shared between peers.

For a consolidated application and log view across an HA pair, you must use Panorama, the Palo Alto Networks centralized management system. See Context Switch—Firewall or Panorama in the Panorama Administrator’s Guide. Consult the Prerequisites for Active/Passive HA and Prerequisites for Active/Active HA. It is highly recommended that you use Panorama to provision HA cluster members. Consult the HA Clustering Best Practices and Provisioning.

When a failure occurs on a firewall in an HA pair or HA cluster and a peer firewall takes over the task of securing traffic, the event is called a Failover. The conditions that trigger a failover are:

Palo Alto Networks firewalls support stateful active/passive or active/active high availability with session and configuration synchronization with a few exceptions:

Begin by understanding the HA Concepts and the HA Clustering Overview if you are going to configure HA clustering.