How to failover traffic from Palo Alto Active firewall to passive device:

  1. For redundancy, deploy your Palo Alto Networks next-generation firewalls in a high availability configuration. There are two HA deployments:
    active/passive—In this deployment, the active peer continuously synchronizes its configuration and session information with the passive peer over two dedicated interfaces. In the event of a hardware or software disruption on the active firewall, the passive firewall becomes active automatically without loss of service. Active/passive HA deployments are supported with all interface modes—virtual-wire, Layer 2 or Layer 3.
  2. active/active—In this deployment, both HA peers are active and processing traffic. Such deployments are most suited for scenarios involving asymmetric routing or in cases where you want to allow dynamic routing protocols (OSPF, BGP) to maintain active status across both peers. Active/active HA is supported only in the virtual-wire and Layer 3 interface modes. In addition to the HA1 and HA2 links, active/active deployments require a dedicated HA3 link. HA3 link is used as packet forwarding link for session setup and asymmetric traffic handling.
  3. In an HA pair, both peers must be of the same model, must be running the same PAN-OS and Content Release version, and must have the same set of licenses. In addition, for the VM-Series firewalls, both peers must be on the same hypervisor and must have the same number of CPU cores allocated on each peer.
  4. Important Considerations for Configuring HA
    The subnet that is used for the local and peer IP should not be used anywhere else on the virtual router.
    The OS and Content Release versions should be the same on each firewall. A mismatch can prevent peer firewalls from synchronizing.
    The LEDs are green on the HA ports for the active firewall and amber on the passive firewall.
    To compare the configuration of the local and peer firewalls, using the Config Audit tool on the Device tab by selecting the desired local configuration in the left selection box and the peer configuration in the right selection box.
    Synchronize the firewalls from the web interface by clicking Push Configuration in the HA widget on the Dashboard. Note that the configuration on the firewall from which you push the configuration overwrites the configuration on the peer firewall. To synchronize the firewalls from the CLI on the active firewall, use the command request high-availability sync-to-remote running-config.

 To failover traffic from active device to passive :

 Failover on the current active member with the CLI command:
CLI:

 request high-availability state suspend

Webui:

From the WebGUI > Device > High Availability > Operational Commands – click Suspend local device

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s