Details

Set the Passive Link State to auto, and uncheck the Preemptive option to disable it.

Rationale:

Simultaneously enabling the ‘Preemptive’ option and setting the ‘Passive Link State’ option to ‘Shutdown’ could cause a ‘preemptive loop’ if Link and Path Monitoring are both configured. This will negatively impact the availability of the firewall and network services, should a monitored failure occur.

Solution

To set Active/Passive Settings correctly:
Navigate to Device > High Availability > General > Active/Passive Settings.
Set Passive Link State to auto.
To set Election Settings correctly:
Navigate to Device > High Availability > Election Settings.
Set Preemptive to be disabled.
Impact:
Incorrectly configuring this setting will adversely affect availability, rather than positively affect it.

Default Value:
Not Configured

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2104

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Palo_Alto.

References

• 800-53|SI-13(5)
• CSCv6|11
• CSCv7|11

Source

• Tenable.com/audits