In Palo Alto Networks HA (Active/Passive), one common upgrade issue happens when HA preemptive is not disabled.
The confusion usually comes from priority values, so let’s clarify this correctly.
First, the rule (very important)
👉 Lower numeric value = Higher priority
Example:
Firewall-A → Priority 10 (higher priority)
Firewall-B → Priority 100 (lower priority)
This is the expected and correct design.
Normal operation (no problem)
Firewall-A (Priority 10) → Active
Firewall-B (Priority 100) → Passive
Preemptive → Enabled
Everything works perfectly.
Where the issue happens (during upgrade)
Step 1️⃣
Upgrade Passive firewall (Firewall-B)
✔ No traffic impact
Step 2️⃣
Manually failover traffic to Firewall-B
Firewall-B becomes Active
Step 3️⃣
Upgrade Firewall-A (higher priority device)
Firewall-A reboots
Step 4️⃣ ⚠️ (problem moment)
Firewall-A comes back online
It has higher priority (lower value)
Preemptive is still enabled
👉 Firewall-A automatically takes back Active role
Why this causes production impact
Failover happens without admin intent
Traffic switches mid-maintenance
Session drops can occur
Routing / ARP / VPN reconvergence
Monitoring alerts fire unexpectedly
HA behaves correctly by design, but wrong for the upgrade context.
Correct upgrade best practice
✔ Disable HA Preemptive before upgrade
✔ Control failover manually
✔ Complete upgrade on both firewalls
✔ Validate traffic and HA sync
✔ Re-enable preemptive only if design requires it
Architect takeaway 🧠
HA is not just about availability.
It’s about predictability during change.
Most HA upgrade issues are not bugs —
they’re missed pre-upgrade checks.
No comments:
Post a Comment