>
    Strata Copilot
    Configure ISE Servers as an HA Pair
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Integration Guide
    4. Network Access Control
    5. Integrate Device Security with Cisco ISE
    6. Configure ISE Servers as an HA Pair
    Download PDF
    Device Security

    Configure ISE Servers as an HA Pair

    Table of Contents

    Configure ISE Servers as an HA Pair

    Put Cisco ISE servers in an active/standby HA pair to provide redundancy.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    • (Legacy) IoT Security (Standalone portal)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
    • Device Security X subscription
    One of the following Cortex XSOAR setups:
    • A free, cohosted, limited-featured Cortex XSOAR instance
      AND
      A free Cortex XSOAR Engine (on-premises integration)
    • A full-featured Cortex XSOAR server
    Device Security uses the term "active" and Cisco uses the term "primary" to refer to the node in an HA pair that is in active mode and processing data. Device Security uses the term "standby" and Cisco uses the term "secondary" to refer to the node that is in passive mode waiting to take over if the active node fails.
    The Device Security terms "primary" and "secondary" refer to two ISE instances to which Device Security sends device attributes. The primary instance, which can be a single ISE server or HA pair, is the one taking action on the data it receives. The secondary instance, which can also be a single ISE server or HA pair, receives the data but typically does not act upon it. In this case, the secondary instance provides redundancy in case the primary instance stops functioning. If that happens, an ISE administrator can manually activate the secondary instance and resume NAC operations.
    Setting up an active/standby HA pair of ISE servers involves the following steps.
    1. Configure one ISE server and give it the role of Primary; that is, the active (or primary) node in an HA pair.
    2. Configure another ISE server and give it the role of Standalone. This will be the standby (or secondary) node in the HA pair.
    3. Create IP hosts on each server to resolve the FQDN of the other server to an IP address.
    4. On the secondary ISE server, export its self-signed certificate.
    5. On the primary ISE server, import the certificate as a .pem file.
    6. Still on the primary server, register the other ISE server as a secondary node.
      At this point, they start functioning as an HA pair. The primary node starts syncing its data with the secondary node, which remains in standby mode.
      For complete HA configuration instructions and details, see Configuring Administration Cisco ISE Nodes for High Availability.

    © 2026 Palo Alto Networks, Inc. All rights reserved.