: Device > High Availability
Focus
Focus

Device > High Availability

Table of Contents
End-of-Life (EoL)

Device > High Availability

  • Device > High Availability
For redundancy, deploy your Palo Alto Networks next-generation firewalls in a high availability
configuration. There are two HA deployments:
  • active/passive—In this deployment, the active peer continuously synchronizes its configuration and session information with the passive peer over two dedicated interfaces. In the event of a hardware or software disruption on the active firewall, the passive firewall becomes active automatically without loss of service. Active/passive HA deployments are supported with all interface modes: virtual-wire, Layer 2 or Layer 3.
  • active/active—In this deployment, both HA peers are active and processing traffic. Such deployments are most suited for scenarios involving asymmetric routing or in cases where you want to allow dynamic routing protocols (OSPF, BGP) to maintain active status across both peers. Active/active HA is supported only in the virtual-wire and Layer 3 interface modes. In addition to the HA1 and HA2 links, active/active deployments require a dedicated HA3 link. HA3 link is used as packet forwarding link for session setup and asymmetric traffic handling.
    In an HA pair, both peers must be of the same model, must be running the same PAN-OS and Content Release version, and must have the same set of licenses.
    In addition, for the VM-Series firewalls, both peers must be on the same hypervisor and must have the same number of CPU cores allocated on each peer.