What is proper sequence to DISABLE HA on a firewall? Should it be passive first or active first?

What is proper sequence to DISABLE HA on a firewall? Should it be passive first or active first?

• Next-Generation Firewalls (NGFW)
• Supported PAN-OS
• High Availability Active/Passive

• High Availability is disabled when maintenance, troubleshooting, or replacement of a component is required on one firewall of an Active/Passive High Availability (HA) pair
• The primary goal is to safely isolate the unit needing work while ensuring the other unit remains fully operational and handles all network traffic.
• The Firewall on which the maintenance is done is normally disabled. So it can be either an active or passive unit.
• The example below assumes a standard Active/Passive HA setup where the currently active unit is disabled for maintenance.

Preparation and Failover

1. Identify Roles: Verify the current state of both firewalls (Active vs. Passive). The maintenance will be performed on the unit you intend to take offline.
2. Verify Passive Unit Health: Ensure the Passive firewall is fully synchronized, healthy, and ready to assume the Active role.
3. Suspend the Active firewall's HA function. This causes the HA pair to immediately transition the Passive unit into the Active role.
   • Result: The former Passive unit is now Active and handling all traffic. The unit you intend to work on is now Suspended and should not be passing traffic.

Isolation and Maintenance

1. Verify Traffic Flow: Confirm that the newly Active firewall is successfully forwarding all data and that the network is fully operational.
2. Physically Isolate (Optional but Recommended): For maximum safety, physically disconnect/disable the data ports (uplinks and downlinks) on the firewall that is now in the Suspended state. This ensures it cannot accidentally interfere with the network during maintenance.
3. Perform Maintenance: Carry out the necessary work on the isolated firewall (e.g., replacing a faulty part, moving cables,).

Restoration

1. Reconnect HA1 and HA2 interfaces between HA units
2. Re-enable HA Functionality: Use "Make the local device functional" to restore the HA function on the maintenance unit.
3. Reconnect Ports: Reconnect/re-enable the data ports on the unit that just underwent maintenance.
4. Final Verification: Re-verify the correct working of the network. The newly restored HA pair should be functioning correctly (one Active, one Passive), and all network traffic should be flowing without issue through the Active firewall.