Failover Traffic from Palo Alto Active Firewall to Passive Firewall:



  1. Login to the active device through webui https://PA-FW-IP-Address
  2. Go to Device
  3. Click on high availability
  4. Click on operational commandsPA-FW-HA
  5. Click “Suspend local device”
  6. Now secondary firewall will move to Active status.

Bring back affected firewall to production:

  1. Once you fix all the issues related to previous active firewalls, bring the firewall back to production using below steps.
  2. Go to Device through webui https://PA-FW-IP-Address
  3.  Click on high availability
  4.  Go to operational commands.
  5.  Click on ” Make local device functional”.
  6.  Now both device are moved to Active/Passive state.

AWS Cloud Security Configuration Check List:

Identity and Access Management:

  1. Avoid the use of the “root” account
  2. Ensure multi-factor authentication (MFA)is enabled for all IAM users that have a console password.
  3. Implement strong IAM password  policies across accounts.


  1. Ensure that CloudTrail is enabled all regions.
  2. Ensure the S3 bucket used to store cloudTrail logs is not publicly accessible.

1. Ensure a log metric filter and alarm exist for usage of the “root” account.
2. Ensure a log metric filter and alarm exist for IAM policy changes.
1. Ensure no security groups allow ingress from to port 22.
2. Ensure the default security group of every VPC restricts all traffic.
3. Ensure routing tables for VPC peering are “least access”.