: VM-Series in High Availability
Focus
Focus

VM-Series in High Availability

Table of Contents
End-of-Life (EoL)

VM-Series in High Availability

High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration is synchronized to prevent a single point of failure on your network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up the firewalls in a two-device cluster provides redundancy and allows you to ensure business continuity. In an HA configuration on the VM-Series firewalls, both peers must be deployed on the same type of hypervisor, have identical hardware resources (such as CPU cores/network interfaces) assigned to them, and have the set same of licenses/subscriptions. For general information about HA on Palo Alto Networks firewalls, see High Availability.
The VM-Series firewalls support stateful active/passive or active/active high availability with session and configuration synchronization. The active/active deployment is supported in virtual wire and Layer 3 deployments on some private cloud hypervisors, and is recommended only if each firewall needs its own routing instances and you require full, real-time redundancy out of both firewalls all the time. To configure the VM-Series firewall as an HA pair, see Configure Active/Passive HA and Configure Active/Active HA.
If you are deploying the VM-Series firewall in the public cloud, such as on the Amazon Web Services (AWS) or Azure, you can use the traditional active/passive HA configuration; see High Availability for VM-Series Firewall on AWS and Set up Active/Passive HA on Azure. Alternatively, because of the innate differences in how resource or region redundancy is built into the cloud infrastructure as compared to a private data center, to take advantage of native cloud services and build a resilient architecture that maximizes uptime, see
Features/ Links Supported
ESX
KVM
AWS
NSX-V
NSX-T (N/S)
Hyper-V
Azure
GCP
OCI
Active/Passive HA
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Yes
Active/Active HA
Yes
Yes
No
No
No
Yes
No
No
No
HA 1
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
HA2—(session synchronization and keepalive)
Yes
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
HA3
Yes
Yes
No
No
No
Yes
No
No
No
HA1 and HA2 support for the VM-Series on GCP requires PAN-OS 10.0x or later and VM-Series plugin 2.0.5 or later.
High availability for the VM-Series firewall on NSX-T (E/W) is achieved through the NSX-T feature called service health check. This NSX-T feature allows you to simulate high availability in the case of a service instance failing. When configured with the VM-Series firewall, if a VM-Series service instance fails, any traffic directed to that firewall is redirect to another firewall instance in the cluster (for service cluster deployments) or a firewall instance on another host (for host-based deployments). See Configure the Service Definition on Panorama for the VM-Series firewall on NSX-T (E/W) for more information.