The firewalls in an Active-Passive HA pair can be assigned a device priority value to indicate a preference for which firewall should assume the active role. If you need to use a specific firewall in the HA pair for actively securing traffic, you must enable the preemptive behavior on both the firewalls and assign a device priority value for each firewall. The firewall with the lower numerical value, and therefore higher priority, is designated as active. The other firewall is the passive firewall.

The same is true for an Active-Active HA pair; however, the device ID is used to assign a device priority value. Similarly, the lower numerical value in device ID corresponds to a higher priority. The firewall with the higher priority becomes active-primary and the paired firewall becomes active-secondary.

By default, preemption is disabled on the firewalls and must be enabled on both firewalls. When enabled, the preemptive behavior allows the firewall with the higher priority (lower numerical value) to resume as active or active-primary after it recovers from a failure. When preemption occurs, the event is logged in the system logs.