Professional Documents
Culture Documents
How To Configure High Availability On PAN
How To Configure High Availability On PAN
PAN-OS
Overview
This document describes how to configure High Availability (HA) on a pair of
identical Palo Alto Networks firewalls.
Note: This document does not address configuring HA for PA-200 devices.
Steps
Configure First Device
1. Go to Network tab > Interfaces.
Notes:
The HA links should look similar to the following screenshot.
Notes:
.
a.
b.
c.
d.
Notes:
. Choose the first HA interface to be used for the first device's Control
Link.
a. Ener an IP address that is on the same subnet as the Peer HA IP
address, configured in step 2.
o If the Control Link is not directly connected to the other firewall, you
may want to enable encryption (AES-256).
o If the Control Link IPs are on separate broadcast domains, only the
gateway needs to be configured, otherwise it's not needed.
4. From the General tab, locate the Data Link section and click Primary:
a. To learn about all of the other settings here, click the ? in the top right
corner for detailed explanations.
b. When state synchronization is enabled; the session table, forwarding
table, ARP table, and VPN Security Associations (SAs) are copied
from the active device to the passive device over HA2. When the
passive device takes over, existing sessions will continue.
c. If the devices have IP connectivity between the management IPs, it is
recommended to enable the Heartbeat Backup, which send pings
over the management interface.
6. Commit the configuration.
At this point, any Layer3 interface gets a new (shared) MAC address, and
multiple gratuitous ARPs are sent out to each layer3 interface informing the
attached switches of the new IP/MAC combination.
. Go to the setup section of the Peer Device and enable HA. Refer to
step 2.
a. Assign the same cluster ID as on the other device.
b. Enter the IP address assigned to the other firewalls Control Link.
c. Enable Config Sync.
10. From the General tab, locate the Control Link section and click on Primary.
11. From the General tab, locate the Data Link section and click on Primary:
A.
B.
C.
D.
12. Replicate the settings on the First device with the exception of enabled
Preemptive on the First device:
. Ensure it still shows as active and it sees the peer device as passive.
a. Ensure all dynamic updates are synced.
b. In this example Antivirus and GlobalProtect are not synced.
15. Update as needed so everything matches, as shown below:
17. Go to the second (passive) device's CLI and check the HA sync process by
running:
> show jobs all
The first two attempts failed. Determine and fix the cause of the failure.
There is a security rule on the passive device named Samir thats causing
the HA-Sync process to fail. The rule is a shared rule from a previous
Panorama configuration.
Delete the rule and run the Sync to peer again from the Active Devices
Dashboard tab. The job finished successfully this time:
. Device tab > High Availability > Link and Path Monitoring tab.
a. In this example, monitoring all links. This means, if any link state
goes down on the active device a failover occurs.
b. In this example, Path Monitoring is not configured.
c. Click the ? button, in the top right corner of the Link and Path
Monitoring tab, to read about Link Monitoring and Path Monitoring.