Focus

Next-Generation Firewall

NGFW Clustering

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Reference: HA Synchronization

NGFW Clusters

NGFW Clustering

Learn about NGFW clustering of firewalls to provide node redundancy.

Where Can I Use This?	What Do I Need?
NGFW	For Strata Cloud Manager managed NGFWs: Strata Cloud Manager Pro One of the following for Panorama managed NGFWs: Panorama PAN-OS 12.1.2 (Panorama Clustering Plugin is bundled with Panorama) Panorama PAN-OS 11.1.5 and Panorama Clustering Plugin 2.0.0 Panorama PAN-OS 11.1.3 and Panorama Clustering Plugin 2.0.0

Where Can I Use This?

What Do I Need?

NGFW

For Strata Cloud Manager managed NGFWs:

Strata Cloud Manager Pro

One of the following for Panorama managed NGFWs:

Data centers need very high levels of network bandwidth and reliability. Beginning with PAN-OS 11.1.3 and later 11.1 releases and beginning with PAN-OS 12.1.2 and later 12.1 releases, PA-7500 Series firewalls support an NGFW cluster of two firewalls that provide redundancy in the event of a link failure, card failure, or chassis failure.Beginning with PAN-OS 12.1.2 and later 12.1 releases, PA-5540, PA-5550, PA-5560, PA-5570, and PA-5580 firewalls require an NGFW cluster of two firewalls.

The two firewalls in the NGFW cluster function in a new mode of operation to provide high availability. The NGFW cluster blends the legacy HA active/active and active/passive solutions into a single HA solution, reducing the complexity of multiple HA connections (HA1, HA2, and HA3) to a single High Speed Chassis Interconnect (HSCI) connection. The firewalls maintain a dual active data plane with a single active control plane. Neighboring devices see the NGFW cluster as a single Layer 2 or Layer 3 device. The NGFW cluster solution reduces failover time (compared to legacy HA), increases resiliency, and supports a multichassis link aggregation group (MC-LAG). The graphic illustrates a physical topology compared to a virtual topology.

The firewalls in a cluster are as easy to configure as an HA active/passive pair was, while they provide the benefits of an active/active solution with extremely fast failover time (less than one second). Configuration through Panorama contributes to the ease of implementation. The pair of firewalls in the NGFW cluster increase port availability, require fewer IP addresses (there are no floating IP addresses), and they rely on open standards. NGFW clustering easily integrates with Layer 3 and virtual wire devices, including those running in a Cisco VPC, Arista MLAG, and Juniper QFX.

The goal of the two firewalls in the NGFW cluster is redundancy; the supported capacity of the pair is one node, not two nodes. The session capacity and all control plane functions remain the same as a single standalone device. The firewall hardware references provide hardware information for the devices that support NGFW clustering.

Learn about the elements of an NGFW cluster.

Reference: HA Synchronization

NGFW Clusters

Next-Generation Firewall Docs

NGFW Clustering

Next-Generation Firewall Docs

NGFW Clustering

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner