Palo Alto: High Availability – Failover-Testing

You can deploy Palo Alto firewalls in active/passive pairs. If the active firewall fails for any reason, the passive firewall becomes active automatically with no loss of service. A failover can be triggered by any of the following:

  • If one or more monitored interfaces fail
  • If one or more specified destinations cannot be pinged by the active firewall
  • If the active device does not respond to heartbeat polls

You need two Palo Alto Networks firewalls that are the same model number. Configure the management ports, and attach the management port of each device to the network. Load licenses on each device. Make sure that the licenses match—if you have a threat license for one, you need a threat license for the other. Install the latest PANOS onto each one, as well as the latest threat database.

Today i was trying the functionality within high availability. The out turn was positive with only 2 pings not delivered.  After today I feel like i can really trust on these machines, since they are appreciably stable and reliable.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s