: Install a PA-7000 Series Firewall DPC in a High Availability (HA) Configuration
Focus
Focus

Install a PA-7000 Series Firewall DPC in a High Availability (HA) Configuration

Table of Contents

Install a PA-7000 Series Firewall DPC in a High Availability (HA) Configuration

Learn how to install a Data Processing Card (DPC) in a PA-7000 Series Firewall high availability configuration.
With all Palo Alto Networks firewalls, the hardware must match when configuring two firewalls in an HA pair. When configuring PA-7000 Series firewalls, the installed Data Processing Cards (DPCs) must also match and must be installed in the same slots on each firewall.
Installing and enabling a new DPC also causes any virtual routers to restart. In an HA clustering configuration, it is recommended that you activate the DPCs in both chassis simultaneously in order to limit downtime.
  1. Put the provided ESD wrist strap on your wrist ensuring that the metal contact is touching your skin. Then attach (snap) one end of the ground cable to the wrist strap and remove the alligator clip from the banana clip on the other end of the ESD grounding cable. Plug the banana clip end into one of the ESD ports located on the front of the chassis before handling ESD sensitive hardware. For details on the ESD port location, see PA-7050 Front Panel (AC) or PA-7080 Front Panel (AC).
  2. Using a Phillips-head screwdriver, remove the blank slot covers for each slot in which you will install a DPC.
  3. Remove the first DPC from the antistatic bag and partially slide it into any of the available DPC slots, ensuring that the handles are in the open position. When the card is about 1/4-inch from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card in place.
  4. Install the second DPC in the other chassis in the HA pair in the same slot you installed the DPC in the first chassis. For example, if you installed the first DPC in slot 3 of the first chassis, install the second DPC in slot 3 of the second chassis.
    After you install the firewall in the rack and power it on as described in Connect Power to a PA-7000 Series Firewall, use the CLI to bring up the DPCs in the HA pair.
    Run the following command to power-on both DPCs in the HA pair:
    admin@PA-7050> request chassis power-on slot <slot-number> target ha-pair
    For example, if you installed the DPCs in slot 3 of each chassis, run the following command:
    admin@PA-7050> request chassis power-on slot s3 target ha-pair
    This will simultaneously power-on both cards in each chassis.
    Enable the DPCs by running the following command:
    admin@PA-7050> request chassis enable slot s3 target ha-pair
    It is recommended that you observe the enabled cards for about two minutes to check for internal path monitoring failures. If there is no failure, proceed to the next step.
    Check the status of the card in slot 3 on either chassis by running:
    admin@PA-7050> show chassis status slot s3
    If the cards are functioning properly, the status will show an output similar to the following:
    Slot...Component........Card Status.....Config Status 
    3.......PA-7000-DPC ...Up..................Success
  5. Ensure that the DPC's session distribution policy is set to session-load.
    1. Run the following command to check the DPC's current distribution policy:
      admin@PA-7050> show session distribution policy
    2. If the Ownership Distribution Policy reads as any value other than session-load, run the following command:
      admin@PA-7050> set session distribution-policy session-load
    3. Running the show session distribution policy command should now read Ownership Distribution Policy: session-load.