Palo Alto Networks and High Availability | Errata: Code 8.0.3h4

Errata: Code 8.0.3h4 – Palo Alto Networks and High Availability

I recently worked with a client to configure two Nexus3172 switches with vPC and VRRP in combination with dual Palo Alto Networks 3020s in HA passive-active failover. The firewalls were running Code 8.0.3h4 and the Nexus 6.0.2.

Palo Alto Firewall Security






Laptop1  ==> Switch 1 ==> firewall 1

Laptop2  ==> switch 2 ==> firewall 2

We conducted the following tests:

    1. Primary firewall link failed: Secondary firewall took over and traffic passed correctly
    2. Primary firewall failed entirely: Secondary firewall took over and traffic passed correctly
    3. Primary switch failed: Secondary switch took over VRRP and traffic continued normally
      • since the link on the primary firewall failed, secondary firewall took over and traffic passed normally
    4. Primary switch was re-introduced: Primary switch took over VRRP
      • secondary firewall moved the sessions back to the primary firewall (preemptive on)

When condition 4 happened, no traffic passed between the laptops and/or the laptops and the primary firewall. When I looked at the ARP entries on the switch, I discovered that the MAC address was incomplete for the firewall.

Because I have done these installations before without a problem I started thinking it was a code issue. I rolled back the firewalls to code 7.1.X and all came back normal and all tests worked flawlessly. Not sure when this will be fixed and there are many exciting things about code 8 that warrant the upgrade, however, if you have an HA pair configuration, it might be better to hold off for a bit. I will continue to test this as new codes are released and to notify our community when this specific issue is resolved.

Written By
Usama Houlila
President and Enterprise Architect
Contact Usama - President - about