Prerequisites for Active/Active HA
Updated on
Fri Apr 19 00:02:55 UTC 2024
Focus
Download PDF
Updated on
Fri Apr 19 00:02:55 UTC 2024
Focus
- Home
- PAN-OS
- High Availability
- SetUp Active/Active HA
- Prerequisites for Active/Active HA
Download PDF
Table of Contents
To set up active/active HA on your firewalls, you needa pair of firewalls that meet the following requirements:
The same model
—The firewallsin the pair must be of the same hardware model.The same PAN-OS version
—The firewalls must be runningthe same PAN-OS version and must each be up-to-date on the application,URL, and threat databases.The same multi virtual system capability
—Both firewallsmust haveMulti Virtual System Capability
eitherenabled or not enabled. When enabled, each firewall requires itsown multiple virtual systems licenses.The same type of interfaces
—Dedicated HA links, ora combination of the management port and in-band ports that areset to interface type HA.The HA interfaces must be configured with static IP addressesonly, not IP addresses obtained from DHCP (except AWS can use DHCPaddresses). Determine the IP address for the HA1 (control) connectionbetween the HA peers. The HA1 IP address for the peers must be onthe same subnet if they are directly connected or are connectedto the same switch.
For firewalls without dedicated HA ports,you can use the management port for the control connection. Usingthe management port provides a direct communication link betweenthe management planes on both firewalls. However, because the managementports will not be directly cabled between the peers, make sure thatyou have a route that connects these two interfaces across yournetwork.
If you use Layer 3 as the transport method for the HA2 (data)connection, determine the IP address for the HA2 link. Use Layer3 only if the HA2 connection must communicate over a routed network.The IP subnet for the HA2 links must not overlap with that of theHA1 links or with any other subnet assigned to the data ports onthe firewall.
Each firewall needs a dedicated interface for the HA3 link.The PA-7000 Series firewalls use the HSCI port for HA3. The PA-5200Series firewalls can use the HSCI port for HA3 or you can configureaggregate interfaces on the dataplane ports for HA3 for redundancy.On the remaining platforms, you can configure aggregate interfaceson dataplane ports as the HA3 link for redundancy.
The same set of licenses
—Licenses are unique to eachfirewall and cannot be shared between the firewalls. Therefore,you must license both firewalls identically. If both firewalls donot have an identical set of licenses, they cannot synchronize configurationinformation and maintain parity for a seamless failover.Ifyou have an existing firewall and you want to add a new firewallfor HA purposes and the new firewall has an existing configuration,it is recommended that you Resetthe Firewall to Factory Default Settings on the new firewall.This will ensure that the new firewall has a clean configuration.After HA is configured, you will then sync the configuration onthe primary firewall to the newly introduced firewall with the cleanconfig. You will also have to configure local IP addresses.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
