You can deploy Palo Alto firewalls in active/passive pairs. If the active firewall fails for any reason, the passive firewall becomes active automatically with no loss of service. A failover can be triggered by any of the following:
- If one or more monitored interfaces fail
- If one or more specified destinations cannot be pinged by the active firewall
- If the active device does not respond to heartbeat polls
You need two Palo Alto Networks firewalls that are the same model number. Configure the management ports, and attach the management port of each device to the network. Load licenses on each device. Make sure that the licenses match—if you have a threat license for one, you need a threat license for the other. Install the latest PANOS onto each one, as well as the latest threat database.
Today i was trying the functionality within high availability. The out turn was positive with only 2 pings not delivered. After today I feel like i can really trust on these machines, since they are appreciably stable and reliable.