In Palo Alto Networks firewall high availability (HA) configurations, the “passive link state” setting refers to how the interfaces on the passive (secondary) firewall behave when the firewall is in the passive state. There are typically two options for configuring the passive link state:
Shutdown: When the passive link state is set to “shutdown”, the interfaces on the passive firewall are administratively shut down. This means that they are effectively turned off and do not participate in any network traffic. This setting ensures that there is no risk of network traffic passing through the passive firewall unintentionally. It also prevents potential issues that may arise from having interfaces in an active but unmanaged state.
Auto: When the passive link state is set to “auto”, the interfaces on the passive firewall remain operational but are not actively passing traffic. They are essentially in a standby mode, ready to assume control if a failover event occurs. In this state, the interfaces are up but not actively participating in the data flow. This setting ensures a faster transition to active status during failover since the interfaces are already up and operational.
These settings allow administrators to control how the passive firewall behaves when it is not actively participating in the network traffic. The choice between “shutdown” and “auto” depends on the specific requirements of the network and the HA configuration.