How to Configure High Availability on

PAN-OS
Overview
This document describes how to configure High Availability (HA) on a pair of
identical Palo Alto Networks firewalls.
Note: This document does not address configuring HA for PA-200 devices.

Steps
Configure First Device
1. Go to Network tab > Interfaces.

Notes:
The HA links should look similar to the following screenshot.

a. Confirm the planned HA links are up.

b. Configure both interfaces to be Interface Type HA.
o Skip this step if configuring a pair of PA-3000, PA-4000 or PA-5000
Series devices. All other firewalls, including VM-Series, require
specific ports to be configured as type HA.

2. Go to Device tab > HIgh Availability > General.

Notes:
.
a.
b.
c.
d.

Locate the setup section.

Click on the gear cog to view/edit the settings.
Enable HA.
Enter a group ID that matches both members.
Enter an IP address for the Peer's Control LInk. This will be used in
the next step.
e. Enable Config Sync.
o The cluster ID is used when creating the virtual MAC for L3
instances. When more than one cluster is on the same L2 network,
the ID must be different on each cluster.
o The Peer HA IP Address (Control Link) can be any IP address that
isn't being used currently in the network.
o It is recommended to add a Backup Peer HA IP Address if there are
enough free ports.
3. From the General tab, locate the Control Link section and click on Primary.

Notes:
. Choose the first HA interface to be used for the first device's Control
Link.
a. Ener an IP address that is on the same subnet as the Peer HA IP
address, configured in step 2.
o If the Control Link is not directly connected to the other firewall, you
may want to enable encryption (AES-256).
o If the Control Link IPs are on separate broadcast domains, only the
gateway needs to be configured, otherwise it's not needed.
4. From the General tab, locate the Data Link section and click Primary:

Notes: Transport Methods

. Choose the other HA interface to be used for the Data Link.
a. Configure the IP information for the Data Link.

b. Ensure the Enabled box is checked.

o Ethernet: Use when the firewalls are connected back-to-back or
through a switch (Ethertype 0x7261).
o IP: Use when Layer 3 transport is required (IP protocol number 99).
o UDP: Use to take advantage of the fact the checksum is calculated
on the entire packet rather than just the header, as in the IP option
(UDP port 29281).
5. From the General tab, locate the Election Settings section, and click the
gear cog:

. To specify one of the firewalls as active, enable Preemptive on both

firewalls and set the Device Priority.
The device with the lowest Device Priority is the active device.

a. To learn about all of the other settings here, click the ? in the top right
corner for detailed explanations.
b. When state synchronization is enabled; the session table, forwarding
table, ARP table, and VPN Security Associations (SAs) are copied
from the active device to the passive device over HA2. When the
passive device takes over, existing sessions will continue.
c. If the devices have IP connectivity between the management IPs, it is
recommended to enable the Heartbeat Backup, which send pings
over the management interface.
6. Commit the configuration.
At this point, any Layer3 interface gets a new (shared) MAC address, and
multiple gratuitous ARPs are sent out to each layer3 interface informing the
attached switches of the new IP/MAC combination.

7. Confirm the HA is active on the local firewall.

The firewalls status should show active and the other values should be
unknown, as shown below:

. Go to the Dashboard tab.

a. Add the High Availability widget.
b. Widgets > System > High Availability.
8. Configure the Peer Device.
9. Refer to step 1, ensure the Peer device has two HA links configured to
communicate to the first devices HA links.

. Go to the setup section of the Peer Device and enable HA. Refer to
step 2.
a. Assign the same cluster ID as on the other device.
b. Enter the IP address assigned to the other firewalls Control Link.
c. Enable Config Sync.
10. From the General tab, locate the Control Link section and click on Primary.

Note: If encryption is enabled on the First device, enable it here as well.

a. Chooe the first HA interface to be used for the Second Devices
Control Link.
b. Enter an IP address that is on the same subnet as the Peer HA IP
address configured in Step 8.

11. From the General tab, locate the Data Link section and click on Primary:

A.
B.
C.
D.

Choose the other HA interface to be used for the Data Link.

Configure the IP information for the Data Link.
Ensure the Enabled box is checked.
Ensure the Transport drop-down matches the first devices
configuration.

12. Replicate the settings on the First device with the exception of enabled
Preemptive on the First device:

For this configuration, Preemptive is off.

. Enable Preemptive.
a. Configure the priority field. A higher number means lower priority.
13. Commit the changes on the Second device:

14. Go to the first device.

. Ensure it still shows as active and it sees the peer device as passive.
a. Ensure all dynamic updates are synced.
b. In this example Antivirus and GlobalProtect are not synced.
15. Update as needed so everything matches, as shown below:

16. Once everything matches on both devices, go to the active member's

Dashboard tab and click Sync to peer. It should say synchronization in
progress.

17. Go to the second (passive) device's CLI and check the HA sync process by
running:
> show jobs all
The first two attempts failed. Determine and fix the cause of the failure.

18. To get more details on the failed job, run:

> show jobs id <id number of the HA-Sync job>
The first sync failure is ID 13.

There is a security rule on the passive device named Samir thats causing
the HA-Sync process to fail. The rule is a shared rule from a previous
Panorama configuration.
Delete the rule and run the Sync to peer again from the Active Devices
Dashboard tab. The job finished successfully this time:

High Availability is configured.

19. Configure Link Monitoring and Path Monitoring (optional):

. Device tab > High Availability > Link and Path Monitoring tab.
a. In this example, monitoring all links. This means, if any link state
goes down on the active device a failover occurs.
b. In this example, Path Monitoring is not configured.
c. Click the ? button, in the top right corner of the Link and Path
Monitoring tab, to read about Link Monitoring and Path Monitoring.