Just a quick note concerning the session sync on a Palo Alto Networks firewall cluster: Don’t trust the green HA2 bubble on the HA widget since it is always “Up” as long as the HA interface is up. It does NOT indicate whether the session sync is working or not. You MUST verify the session count on the passive unit to be sure. Here are some details:

I was changing the VLANs on a few switches to which a Palo Alto cluster was plugged in (PA-500, PAN-OS 7.1.14). Though the VLANs I used for the HA2 interfaces on the switches did NOT match the HA2 link was displayed as “Up”. And indeed, the session sync did not work as indicated by a session count of 0 on the passive device:

Note that this is not the case for the HA1 bubble which immediately turns red if no communication takes place. Also note that this behaviour for HA2 is independent of the transport mode for this data link which can be ethernet, ip, or udp.

Lessons learned: You MUST verify whether the session sync works or not. You can either look at the session count on the system resources widget on the passive device which should be greater than 0, or you can use the following command (on the passive device again) a couple of times to verify that the “received” packets increase:


And of course you should test some failover scenarios before going live. ;)

For many more troubleshooting hints have a look at my CLI Commands for Troubleshooting Palo Alto Firewalls blogpost.

