What settings and parameters can be adjusted to fine-tune the active/active HA setup?

What settings and parameters can be adjusted to fine-tune the active/active HA setup?

1401
Created On 10/09/25 20:24 PM - Last Modified 10/10/25 16:19 PM


Question


What settings and parameters can be adjusted to fine-tune the active/active HA setup?

Environment


  • Palo Alto Networks Firewall
  • High Availability Active/Active Session Configuration

Answer


In a High Availability (HA) Active/Active (A/A) deployment, both firewalls in the HA pair are active and processing traffic simultaneously. This configuration maximizes resource utilization and throughput. However, to ensure stability and prevent issues like duplicate sessions, it is crucial to correctly configure how new sessions are established and which device "owns" and processes the traffic for that session.

  • Core Concepts

Before diving into the options, it's important to understand two distinct concepts:

    • Session Setup: This refers to the process of creating a new session in the session table. It is the initial, resource-intensive "slowpath" lookup for a flow that does not have a matching existing session. The Session Setup Rule determines which of the two firewalls will perform this task.
    • Session Owner: This refers to the firewall that is responsible for all subsequent "fastpath" processing of packets belonging to an established session. The Session Owner Selection setting determines which firewall will own the session for its entire lifetime.

While these can be configured independently, their interaction is critical to a successful A/A deployment.

  • Identify Configuration

Verify the current configuration settings in admin. show high-availability all will provide the complete HA configuration settings, or you can specifically search just for the rules.

> show high-availability all
....
    Active-Active Mode:
      Device-id: 0
      Tentative Hold Interval: 60 sec
      Network Config Sync Virtual-Router: no
      Network Config Sync QOS: yes
      Session Owner Selection Session Processing Rule: first-packet   <<<<<<<<<
      Session Owner Selection Session Setup Rule: first-packet     <<<<<<<<<
  
 
> show high-availability all | match "Session Setup Rule"
      Session Owner Selection Session Setup Rule: first-packet
 
> show high-availability all | match "Session Processing Rule"
      Session Owner Selection Session Processing Rule: first-packet
  • Session Setup Rule

This is one of the most critical settings for A/A stability. It determines which firewall performs the initial, resource-intensive setup of a new session. The goal is to ensure that for any given client-to-server flow, only one firewall attempts to create the session, even if routing is asymmetric.

    • The command to change this rule in configure mode is:

# set deviceconfig high-availability group mode active-active session-owner-selection <option> session-setup <rule>

    • RuleDefinitionDeterminismHow It Works & Key Differences
      Primary DeviceThe designated Primary device handles all new session setups.DeterministicSimple and predictable. Regardless of which firewall receives the first packet, the session setup task is always handled by the Primary device. This avoids race conditions but centralizes the setup load.
      First PacketThe firewall that receives the first packet of a new flow sets up the session.Non-DeterministicThis method is simple but can be problematic. In asymmetrically routed networks, the client-to-server (c2s) packet might arrive at Firewall A, and the server-to-client (s2c) reply might arrive at Firewall B. If the session from A hasn't synced to B yet, B will see the reply as a "first packet" for a new flow and create a duplicate session, causing the connection to fail. This is especially common with UDP or if TCP handshake enforcement is disabled.
      IP ModuloAn algorithm that performs a calculation (XOR operation) on the source and destination IP addresses to decide which firewall will set up the session.DeterministicThis is a robust method for asymmetric environments. Because the calculation uses both source and destination IPs (which are sorted first), the result is the same regardless of traffic direction (c2s vs. s2c). For a given pair of hosts, the same firewall will always be chosen to set up the session, preventing duplicate sessions.
      IP HashAn algorithm that uses a hashing function on IP addresses to select the setup device. It can be configured in two modes.VariesSource IP Only (Non-Deterministic): Suffers from the same issues as the "First Packet" rule in asymmetric environments, as the source IP changes with traffic direction.
      Source + Destination IP (Deterministic): The firewall first sorts the source and destination IPs before feeding them into the hash function. This ensures the same hash value is generated regardless of traffic direction (c2s vs. s2c), making it a reliable choice for preventing duplicate sessions in asymmetric networks.
    • deterministic Session Setup Rule (Primary Device, IP Modulo, IP Hash with Source+Destination) is critical for networks with asymmetric routing.

 

 

Additional Information


Recommended Configuration Setup

Here are recommended configuration bundles based on common customer environments.

  1. Maximum Simplicity & Predictability

This setup prioritizes ease of troubleshooting over performance load sharing.

    • Session Owner Selection: Primary Device
    • Session Setup Rule: Primary Device
    • HA Virtual Address Type: Floating IP
    • Rationale: All sessions are set up and owned by a single, predictable device. The second device acts purely as a failover unit for traffic processing. This configuration minimizes the complexities of A/A.
  1. True Load Sharing in a Symmetric Routing Environment

This setup is for maximum performance when you can guarantee that c2s and s2c traffic for a flow will always traverse the same firewall.

    • Session Owner Selection: First Packet
    • Session Setup Rule: First Packet
    • HA Virtual Address Type: ARP Load Sharing
      • Device Selection Algorithm: IP Modulo or IP Hash
    • Rationale: ARP Load Sharing with a deterministic algorithm distributes traffic from the network to both firewalls. The firewall's First Packet rule then allows whichever device receives the traffic to set up and own the session. This effectively distributes the load. This configuration is NOT recommended for asymmetric routing environments.
  1. Robust Load Sharing for Asymmetric Routing Environments

This is the most resilient A/A configuration, designed to handle the complexities of modern networks where traffic paths may not be symmetric.

    • Session Owner Selection: First Packet
    • Session Setup Rule: IP Modulo or IP Hash (Source and Destination)
    • HA Virtual Address Type: ARP Load Sharing
      • Device Selection Algorithm: Must match the Session Setup Rule (e.g., IP Modulo)
    • Rationale:
      1. ARP Load Sharing with a deterministic algorithm (e.g., IP Modulo) tells the network how to distribute traffic consistently.
      2. The matching, deterministic Session Setup Rule (IP Modulo) ensures that for any given flow, only one specific firewall is designated to perform the session setup, regardless of which firewall first sees the packet.
      3. This alignment prevents race conditions and duplicate sessions common in asymmetric environments.
      4. Once the session is created, the First Packet owner rule allows both firewalls to process their owned sessions, achieving true load sharing of the processing workload.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000kAM4KAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail