Prerequisites for Active/Passive HA
For high availability on Palo Alto Networks firewalls, ensure both firewalls have the
same model, PAN-OS version, multi virtual system capability, and type of interfaces. They
must also have identical licenses and HA1 and HA2 IP addresses within specific
parameters.
To set up high availability on your Palo Alto Networks
firewalls, you need a pair of firewalls that meet the following
requirements:
The same model—Both the firewalls in the pair must be of the same hardware model or
virtual machine model. (Verify that by viewing Dashboard, General Information,
Model.)
The same PAN-OS version—Both the firewalls should be running the same PAN-OS version and
must each be up-to-date on the application, URL, and threat databases. (Verify
that by viewing Dashboard, General Information, Software Version.)
The same multi virtual system capability—Both firewalls must have Multi Virtual System
Capability either enabled or not enabled. When enabled, each
firewall requires its own multiple virtual systems licenses. (Verify that by
viewing Device > Setup > Management, General Settings, Multi Virtual System
Capability enabled or disabled.)
The same type of interfaces—Dedicated HA links, or a combination of the management port
and in-band ports that are set to
interface type HA. (Verify the
following on Device > High Availability > HA Communications.)
Determine the IP address for the HA1 (control) connection
between the HA peers. The HA1 IP address for both peers must be
on the same subnet if they are directly connected or are connected to
the same switch.
For firewalls without dedicated HA ports,
you can use the management port for the control connection. Using
the management port provides a direct communication link between
the management planes on both firewalls. However, because the management
ports will not be directly cabled between the peers, make sure that
you have a route that connects these two interfaces across your
network.
If you use Layer 3 as the transport method for the HA2 (data)
connection, determine the IP address for the HA2 link. Use Layer
3 only if the HA2 connection must communicate over a routed network. The
IP subnet for the HA2 links must not overlap with that of the HA1
links or with any other subnet assigned to the data ports on the
firewall.
The same set of licenses—Licenses are unique to each firewall and cannot be shared between
the firewalls. Therefore, you must license both firewalls identically. If both
firewalls do not have an identical set of licenses, they cannot synchronize
configuration information and maintain parity for a seamless failover. (Verify
that the licenses match by comparing Device > Licenses.)
As a best practice, if you have an existing
firewall and you want to add a new firewall for HA purposes and
the new firewall has an existing configuration
Reset
the Firewall to Factory Default Settings on the new firewall.
This ensures that the new firewall has a clean configuration. After
HA is configured, you will then sync the configuration on the primary
firewall to the newly introduced firewall with the clean configuration.