Prerequisites for Active/Passive HA
Focus
Focus

Prerequisites for Active/Passive HA

Table of Contents

Prerequisites for Active/Passive HA

For high availability on Palo Alto Networks firewalls, ensure both firewalls have the same model, PAN-OS version, multi virtual system capability, and type of interfaces. They must also have identical licenses and HA1 and HA2 IP addresses within specific parameters.
To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the following requirements:
  • The same model—Both the firewalls in the pair must be of the same hardware model or virtual machine model. (Verify that by viewing Dashboard, General Information, Model.)
  • The same PAN-OS version—Both the firewalls should be running the same PAN-OS version and must each be up-to-date on the application, URL, and threat databases. (Verify that by viewing Dashboard, General Information, Software Version.)
  • The same multi virtual system capability—Both firewalls must have Multi Virtual System Capability either enabled or not enabled. When enabled, each firewall requires its own multiple virtual systems licenses. (Verify that by viewing Device > Setup > Management, General Settings, Multi Virtual System Capability enabled or disabled.)
  • The same type of interfaces—Dedicated HA links, or a combination of the management port and in-band ports that are set to interface type HA. (Verify the following on Device > High Availability > HA Communications.)
    • Determine the IP address for the HA1 (control) connection between the HA peers. The HA1 IP address for both peers must be on the same subnet if they are directly connected or are connected to the same switch.
      For firewalls without dedicated HA ports, you can use the management port for the control connection. Using the management port provides a direct communication link between the management planes on both firewalls. However, because the management ports will not be directly cabled between the peers, make sure that you have a route that connects these two interfaces across your network.
    • If you use Layer 3 as the transport method for the HA2 (data) connection, determine the IP address for the HA2 link. Use Layer 3 only if the HA2 connection must communicate over a routed network. The IP subnet for the HA2 links must not overlap with that of the HA1 links or with any other subnet assigned to the data ports on the firewall.
  • The same set of licenses—Licenses are unique to each firewall and cannot be shared between the firewalls. Therefore, you must license both firewalls identically. If both firewalls do not have an identical set of licenses, they cannot synchronize configuration information and maintain parity for a seamless failover. (Verify that the licenses match by comparing Device > Licenses.)
    As a best practice, if you have an existing firewall and you want to add a new firewall for HA purposes and the new firewall has an existing configuration Reset the Firewall to Factory Default Settings on the new firewall. This ensures that the new firewall has a clean configuration. After HA is configured, you will then sync the configuration on the primary firewall to the newly introduced firewall with the clean configuration.