is there a question?  PAN auto failover is generally a bad idea, unless you have zero support staff and rely on ISE to look after itself to ensure that there is always an admin portal to access (in case the preferred, primary node is offline).  There will always be times when the Primary admin node will be offline for a while (e.g. patching and upgrading or other reasons) - but that might not be a good enough reason to promote the Secondary. Secondary promotion is a very slow process (whether done manually or automatically). If your admin node is down for many hours and you need GUI access, then just promote the Secondary manually. Don't let the timers dictate when that will happen, because it might not be in your favour to do so.

When a failover has occurred, then ISE admin users will also need to know the URL of the new Primary node, unless you have some smart dynamic DNS system that can test which ISE node is the Primary, and set the DNS CNAME accordingly - I am thinking of the F5 GTM for example. Therefore, Auto Failover can also cause a great deal of confusion if this is not handled in a smart way either.