>
    Strata Copilot
    Cluster Management
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Prisma AIRS as a Firewall - Hyperscale Security Fabric
    5. Deploy and Manage Prisma AIRS HSF Clusters on KVM
    6. Cluster Management
    Download PDF
    Prisma AIRS

    Cluster Management

    Table of Contents

    Cluster Management

    Learn about the horizontal and vertical scaling of nodes in a KVM HSF cluster.
    Where Can I Use This?What Do I Need?
    • Prisma® AI Runtime Security™
    • PAN-OS® 12.1.5 & later
    • A controller or a VM to apply terraforms with SSH key authentication for KVM host root access
    Horizontal Scale Out (Add Node):
    1. Log in to SCM and navigate to Insights > Deployment.
    2. Select Private Cloud KVM and select Modify an Existing Firewall Cluster.
    3. Select the HSF cluster you wish to modify and click Next.
    4. Modify the parameters you wish to change such as Number of vCPUs, memory, image path and so on.
    5. Click Create Terraform Template and then Download Terraform template.
      The parameters that are greyed out are not modifiable. You may choose to Clone an existing Terraform as a template.
    6. Download the new, updated ZIP file from SCM.
    7. Unzip and overwrite existing files in the deployment directory, preserving .tfstate.
    8. Navigate to the new node's directory and run terraform init, terraform plan, terraform apply.
      • Avoid running terraform apply on the folder containing nodes that are already deployed. This operation is not supported for existing deployments.
      • You can also use the deploy-cluster.sh script for this if using the remote deployment. This script is not relevant for local deployments.

    Horizontal Scale In (Delete Node)

    Deleting a node requires you to:
    • Manually delicense the firewall
    • Manually remove the node from the Panorama
    Execute the following steps in the order listed below:
    1. Manually delicense the firewall - You can manually delicense the firewall using the Licensing API key through UI or CLI:
      • UI - De-licensing requires the 'Licensing API' key to be configured on the Panorama. This key can be obtained from CSP.
      • CLI - Execute the command:
        request batch license deactivate VM-Capacity mode auto devices <serial-number>
    2. Note Serial Number - Record the serial number of the node to be deleted.
    3. Terraform Destroy - Navigate to the respective node's directory and run terraform destroy.
      All terraform commands need to be executed by sudo user.
    4. Cleanup:
      1. Delete Folder: Remove the respective node folder from the local system.
      2. Update SCM: Remove the node from the SCM template configuration.
      3. Panorama/CSP Cleanup: Manually remove the node from Panorama (device group, template stack, log collector group, cluster, mgt-config) using the following commands:
        Execute the following commands in configure mode.
        delete device-group <device-group-name> devices <serial-number>
        delete template-stack <template-stack-name> devices <serial-number>
        delete log-collector-group <lc-name> devices <serial-number>
        delete mgt-config devices <serial-number>
        delete cluster <cluster-name> devices <serial-number>
        commit
    5. Release CSP Credits: Manually release the credits associated with the deleted node's serial number.

    Cluster Delete

    The cluster can be deleted using:
    • Local Deployment - To remove all cluster nodes, follow the same steps as for a Horizontal Scale In. This involves:
      1. Delicensing
      2. Panorama cleanup
      3. Running terraform destroy sequentially within each folder
    • Instead of running terraform destroy in each folder (as in step 3 for local deployment), execute the script ./deploy_cluster.sh destroy. This script will perform the terraform destroy operation for all nodes and provide a final summary.
    Additionally, after all references on Panorama have been removed, execute the delete cluster command to finalize the removal of the cluster. This deletion can also be performed through the UI, followed by a commit to Panorama.
    delete cluster <cluster-name>
    commit

    Vertical Scaling (Resource Update)

    1. Power off the KVM instance for the node.
    2. Manually modify vCPU, memory, or network interface parameters on the KVM host using the virt-manager or CLI.
    3. Power on the KVM instance.
    4. Update corresponding parameters in the SCM template for consistency.
    Applying Terraform after changing variables such as vCPU or memory is not recommended. Doing so may not only prevent the changes from taking effect but could also result in the destruction of the cluster.

    Interface Attachor Detach (P-Nodes Only)

    1. Power off the VM.
    2. Manually attach or detach interfaces using libvirt commands.
    3. Power on the VM.

    Upgrade or Downgrade Software

    1. Ensure all existing nodes have transitioned to the new image through the Panorama update process.
    2. Update the SCM template with the new image name.
    3. New nodes added through SCM will use the new image; existing nodes will need to be manually upgraded, one node upgrade at a time, starting with lowest node1 and going to next node ID through Panorama > Managed devices.

    © 2026 Palo Alto Networks, Inc. All rights reserved.