>
    Strata Copilot
    Configure an NGFW Cluster
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. NGFW Clustering
    4. Configure an NGFW Cluster
    Download PDF
    Next-Generation Firewall

    Configure an NGFW Cluster

    Table of Contents

    Configure an NGFW Cluster

    Configure an NGFW cluster of two firewalls for node redundancy.
    Where Can I Use This?What Do I Need?
    • NGFW
    For Strata Cloud Manager managed NGFWs:
    • Strata Cloud Manager Pro
    One of the following for Panorama managed NGFWs:
    Before you configure the firewalls to an NGFW cluster, perform the following prerequisites:
    • Confirm that Panorama and the firewalls that you will assign to an NGFW cluster are all running the same software version.
    • Install Panorama Clustering plugin 2.0.0 if you're using PAN-OS 11.1.3; refer to Install Panorama Plugins. For subsequent PAN-OS releases, you must install a compatible Panorama Clustering plugin release. Also refer to the Panorama plugin for Clustering in the VM-Series and Panorama Plugin Release Notes.
    • Be familiar with Panorama tasks, such as managing devices and creating templates, template stacks, and device groups.
    • Add the two firewalls as managed devices of Panorama so that they are communicating with each other over the management interface. Confirm by selecting PanoramaManaged DevicesSummary, and verify the two firewalls (nodes) have an IP address on their management interface and the Device State is Connected.
    • Connect the firewalls back-to-back with 100G or 400G HSCI-A and HSCI-B links. (Verify the connections on each firewall by using the CLI command show interface all to see the hsci-a and hsci-b interfaces.)
    • Familiarize yourself with NGFW Clusters.
    The steps in the example task to configure an NGFW cluster are based on this topology example of two MC-LAGs. The orange links connected to Node 1 and Node 2 on the client side belong to AE1 (an MC-LAG). The orange links connected to Node 1 and Node 2 on the server side belong to AE2 (another MC-LAG). Traffic from the client at 10.1.7.100 goes to the switch and is then divided between the two ingress AE1 interfaces and then egresses the two AE2 interfaces to the switch, and then goes over the orange link to the server at 10.1.8.200.
    The gray links connected Node 1 and Node 2 are orphan ports. Traffic from the client at 10.1.1.100 goes to the switch, to Node 1, across an HSCI interface to Node 2, egresses Node 2 to the switch, and then to the server at 10.1.2.100.

    PAN-OS

    Configure an NGFW cluster.
    Use this process to configure an NGFW cluster.
    1. Log in to the Panorama Web Interface.
    2. Create an NGFW cluster.
      1. Select PanoramaFirewall ClustersCreate Cluster.
      2. Enter a Cluster Name containing zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces.
      3. Select Cluster Type as PA.
      4. Click OK.
    3. Add the firewalls to the cluster.
      1. Select PanoramaFirewall ClustersSummary View and select the cluster you created.
      2. Enter a Group ID in the range 1 to 63; the default is 1.
      3. Select the two firewalls to assign to the cluster. The first firewall you select automatically becomes Node 1.
      4. Click OK.
      5. View the firewalls in the cluster by selecting PanoramaFirewall ClustersSummary View and selecting the cluster you created. The General tab displays nonconfigurable fields: Device serial number and Node ID (1 or 2). Click OK to close the window.
      6. Select Commit to Panorama and Commit. Both firewalls are rebooted and get assigned a Node ID, the existing configuration (policy, network, etc.) is cleared, and the firewalls are connected back to Panorama.
      7. Select Push to Devices, select Push All Changes, select the newly created firewall cluster, and Push.
    4. (Optional) Verify the cluster state and node state.
      1. Access the CLI.
      2. > show cluster leader
      3. > show cluster local node-id
      4. > show cluster local state
      5. > show cluster all
      6. > exit
    5. Log in to the Panorama Web Interface.
    6. View the Config Sync Status.
      1. Select PanoramaFirewall ClustersSummary View and select PA-Series.
      2. View the Config Sync Status. After the Commit All is successful, the firewalls have a Config Sync Status of In Sync.
    7. Add a cluster template.
      1. Select PanoramaTemplates and Add a template.
      2. Enter a Name and Description of the template.
      3. Enable clustering. You must enable clustering when you first create the template; you can't go back to enable clustering later.
      4. Click OK.
    8. Create a template stack.
      1. Select PanoramaTemplatesAdd Stack.
      2. Enter a Name for the template stack.
      3. In the Devices section, select the two firewalls in the cluster.
      4. In the Templates section, Add the template you created.
      5. Enable clustering. You must enable clustering when you first create the template stack; you can't go back to enable clustering later. (If you don't Enable clustering for the template stack now, it won't match the template and an Operation Failed message appears.)
      6. Click OK.
    9. Add a device group.
      1. Select PanoramaDevice GroupsAdd.
      2. Enter a Name for the device group.
      3. In the Devices section, select the Names of the two firewalls in the cluster.
      4. In the Reference Templates section, Add the template stack that you created.
      5. Click OK.
    10. Commit to Panorama and Commit to apply your configuration in Panorama.
    11. (Two-node cluster only) Verify that the management interface permits the same IP addresses on the two nodes. The firewalls use the management interface to exchange heartbeats to detect and avoid a split-brain situation.
      1. Select DeviceSetupInterfaces.
      2. In the Template field, select your template.
      3. Select the Management interface.
      4. If you added Permitted IP Addresses on one of the nodes, you must also permit the same IP addresses on the peer node. Each node must be able to reach the management interface of the peer node. (If you deny the IP address or network of the peer, split brain detection won't work.)
      5. Click OK.
    12. Configure the template.
      1. Select Network
      2. In the Template field, select your template.
    13. To configure the orphan port, configure a Layer 3 interface on the firewall that connects to the client.
      1. Select NetworkInterfacesCluster Ethernet and Add Interface.
      2. Select the Node ID (1 for this example).
      3. Select the Slot (Slot 4).
      4. Select the Interface Name, for example, node1:ethernet4/6.
      5. Select the Interface Type as Layer3.
      6. On the Config tab, create a Logical Router by adding a Name; click OK.
      7. Create a Security Zone, such as client.
      8. Select IPv4, select the Type as Static, for example, and Add the IPv4 address with netmask (10.1.1.1/24 in this example).
        Alternatively, select IPv6, Enable IPv6 on the interface, select the Type as Static, and Add the IPv6 Address with network prefix length. This task example uses static IP addressing; NGFW clustering also supports DHCP, DHCPv6, PPPoE, and PPPoEv6.
      9. Select the Advanced tab and then the Other Info tab.
      10. For Management Profile, create a new Interface Management profile to allow access to the interface. Select the management and network services allowed (such as HTTPS, SSH, and Ping) and click OK.
      11. Click OK.
    14. Configure the other orphan port on node 2, Slot 2, node2:ethernet2/19, using IP address 10.1.2.1/24 for the interface that faces the server. Create a different security zone. The gray path in the example topology is configured.
    15. Configure the AE interface (MC-LAG) for the client-facing interface on Node 1.
      1. Select NetworkInterfacesCluster Ethernet and Add Aggregate Group.
      2. For Interface Name, next to ae, enter the interface number (in this example, 1).
      3. Select Interface Type as Layer3.
      4. On the Config tab, select the same Logical Router.
      5. Select the Security Zone.
      6. Click OK.
      7. Select IPv4, select the Type as Static, and Add the IPv4 address with netmask (10.1.7.1/24 in this example).
      8. (Optional) Configure LACP settings if you want to enable LACP for the aggregate group.
      9. Select the Advanced tab and then the Other Info tab.
      10. For Management Profile, create a new Interface Management profile to allow access to the interface. Select the services allowed and click OK.
      11. Click OK.
    16. Configure the AE interface (MC-LAG) for the server-facing interface for Node 1. For this interface, follow similar substeps as in the prior step, but configure AE2, add the IP address (10.1.8.1/24), the same logical router, and a server Security zone.
    17. Add an interface member to the MC-LAG on the client side.
      1. Select NetworkInterfacesCluster Ethernet and Add Interface.
      2. On the Cluster Ethernet Interface, select the Node ID Node 1.
      3. Select the Slot (Slot 2).
      4. Select the Interface Name, for example, node1:ethernet2/1.
      5. Select the Interface Type as Aggregate Ethernet.
      6. Select the Aggregate Group, such as ae1.
      7. Click OK.
    18. Add a second interface member to the MC-LAG on the client side, assigning Node ID as Node 2, Slot 2, node2:ethernet2/11. Select the same Aggregate Group (ae1).
    19. Add an interface member to the MC-LAG on the server side. Select Node 1, Slot 4, node1:ethernet4/16. Select the Aggregate Group, ae2.
    20. Add a second interface member to the MC-LAG on the server side, assigning it to Node 2, Slot 6, node2:ethernet6/16. Select the Aggregate Group, such as ae2.
    21. (PAN-OS 11.1.5 and later 11.1 releases) Prepare to configure MACsec for the HSCI ports by creating a MACsec profile.
      IMPORTANT: When you migrate from a non-MACsec cluster to a MACsec cluster, you must do so during a maintenance window.
      1. Select NetworkNetwork ProfilesMACsec Profile and select MACsec Policy.
      2. Add a MACsec crypto profile by Name, which contains zero or more alphanumeric characters, underscores (_), hyphens (-), or dots (.). The Name is a maximum of 31 characters.
      3. Select the Encryption type: AES-128-GCM (default) or AES-256-GCM.
      4. Select the Confidentiality Offset to specify a number of bytes (starting from the frame header), after which MACsec encrypts the bytes in a frame. Values are 0 (default), 30, or 50.
      5. Enable SCI Include to include the Secure Channel Identifier (SCI) tag in the Security Tag field of the MACsec header. The default is disabled.
      6. Enable Anti Replay to enable replay protection. This allows a MACsec port to accept frames out of order if they are within the Anti Replay Window. The default is disabled.
      7. Specify the Anti Replay Window size in the range 0 to 65,535; the default is 16,384. This value determines the range of packet numbers that the port will accept, for packets that might be out of order. The port will accept packets with a packet number greater than or equal to the last packet number minus the window size. For example, after the port receives packet number 12, if the window is 5, the port will subsequently accept only packets numbered 7 or higher.
        Specify an Anti Replay window size based on the traffic rate because the HSCI ports will likely experience packets arriving out of order due to prioritization or load balancing in the network.
      8. Specify the SAK Rekey Interval (sec) in seconds; range is 60 to 86,400; default is 3,600. Connectivity Association participants negotiate a Secure Association agreement, which includes a cipher suite and keys. A Key Server generates a Secure Association Key (SAK) from the Connectivity Association Key (CAK); the SAK is refreshed at the SAK rekey interval. The end-to-end nodes use the SAK to encrypt traffic for a given session. To avoid the SAKs of all interfaces being refreshed at the same time, MACsec might spread the rekeying actions evenly by subtracting a small random number from the SAK rekey interval.
      9. Click OK.
    22. (PAN-OS 11.1.5 and later 11.1 releases) Create a MACsec Pre Shared Key Profile.
      1. Select NetworkNetwork ProfilesMACsec Profile and select Pre Shared Key.
      2. Add a MACsec Pre Shared Key Profile by Name, which contains zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces. The Name is a maximum of 31 characters.
      3. Enter the CKN (Connectivity Association Key Name) that identifies the Connectivity Association Key. The CKN is 1 byte to 32 bytes of hexadecimal string (2 to 64 hex digits) with an even number of digits; for example, 1234.
      4. Enter the CAK (Connectivity Association Key), which is a 16-byte hexadecimal string (32 hex digits) for AES-128-GCM, or a 32-byte hexadecimal string (64 hex digits) for AES-256-GCM. The CAK is used to generate all other keys used for MACsec. An example CAK for AES-128-GCM is 12345678912345678912345678912345. A CAK for AES-256-GCM is twice as long as a CAK for AES-128-GCM.
        The Pre Shared Key, CKN, and CAK must match on the two ends of the HSCI-A link. Likewise, the Pre Shared Key, CKN, and CAK must match on the two ends of the HSCI-B link.
      5. Click OK.
    23. (PAN-OS 11.1.5 and later 11.1 releases) Commit to Panorama.
    24. (PAN-OS 11.1.5 and later 11.1 releases) Push to Devices and Push Templates so that the devices have the MACsec profiles, thus allowing you to later push the cluster configuration with MACsec enabled.
    25. (PAN-OS 11.1.5 and later 11.1 releases) Identify the leader node and nonleader node.
      1. Access the CLI on one of the firewall nodes. (If you already know which node is the nonleader, access the CLI on the nonleader node.)
      2. >show cluster nodes
    26. (PAN-OS 11.1.5 and later 11.1 releases) Suspend the nonleader node.
      1. Access the CLI on the nonleader node.
      2. >request cluster node state suspend
        The suspension takes approximately 120 seconds (the default delay value).
    27. (PAN-OS 11.1.5 and later 11.1 releases) Confirm the nonleader node is suspended.
      1. >show cluster nodes
    28. (PAN-OS 11.1.5 and later 11.1 releases) Apply your MACsec profiles to the HSCI-A and HSCI-B ports.
      1. Select PanoramaFirewall Clusters and select Summary View.
      2. Select PA-Series or All Clusters.
      3. Select a Cluster Name to edit the cluster.
      4. Select Communications.
      5. Select hsci-a and enter the Key Server Priority in the range from 0 to 255; the default is 16. The lower the value, the higher the priority of the Key Server.
        If the priority values for the HSCI-A links on the two nodes are equal, the node with the lower MAC address is the Key Server. The Key Server (one of the nodes in the cluster) selects and advertises a cipher suite, and also generates the SAK from the CAK.
      6. For Crypto Profile, select the MACsec crypto profile you created or select the default profile.
      7. For Pre Shared Key Profile, select the profile you created.
      8. Select hsci-b and perform the same steps to assign a Key Server Priority and apply the crypto profile and pre-shared key Profile to the port.
      9. Click OK.
    29. (PAN-OS 11.1.5 and later 11.1 releases) Commit, Commit to Panorama, and Commit.
    30. (PAN-OS 11.1.5 and later 11.1 releases) Push to Devices and Push , which enables MACsec on the ports.
    31. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) If you renamed the MACsec key profile or replaced the MACsec pre-shared key and your commit fails, select Edit Selections and perform the following substeps:
      1. If you need to push a device group configuration, perform these next three substeps. Select the Device Groups tab. Select the affected device group or groups. Select Include Device and Network Templates. Select Include Firewalls Clusters.
      2. Select the Templates tab and deselect the affected template.
      3. Select the Firewall Clusters tab. Deselect Filter Selected. Deselect the affected cluster.
      4. If you need to push the template configuration, perform these next three substeps. Select the Device Groups tab and deselect the affected device group.
      5. Select the Templates tab and select the affected template. Select Include Firewall Clusters.
      6. Select the Firewall Clusters tab. Deselect Filter Selected. Deselect the affected cluster.
      7. Now that you have edited the selections, repeat Steps 29 and 30 to commit and push your changes.
    32. (PAN-OS 11.1.5 and later 11.1 releases) Confirm MACsec is enabled on both ports.
      1. Access the CLI.
      2. >show macsec mka session interface hsci-a
      3. >show macsec mka session interface hsci-b
    33. (PAN-OS 11.1.5 and later 11.1 releases) Unsuspend the nonleader node.
      1. Access the CLI on the nonleader node.
      2. >request cluster node state unsuspend
        It takes a few minutes to unsuspend the nonleader node; the length of time depends on the traffic level.
    34. (PAN-OS 11.1.5 and later 11.1 releases) Verify that both nodes are online.
      1. >show cluster nodes
    35. (PAN-OS 11.1.7 and later 11.1 releases) (Optional) Enable multiple virtual systems for the firewalls in the template.
      1. Select DeviceVirtual Systems and select the Template by name.
      2. For Mode, select Multi VSYS.
    36. Create Security policy rules.
      1. Select Policies and select the Device Group.
      2. Create Security policy rules to control access, such as allowing a specific source zone, destination zone, address, user, device, application, and service.
    37. Configure routing and other features your firewalls require (except for HA). Refer to the PAN-OS Administrator's Guide and the PAN-OS Networking Administrator's Guide.
    38. Configure system monitoring for the NGFW cluster.
      1. Select PanoramaFirewall ClustersSummary View and select a cluster or a single firewall in the cluster.
      2. Select System Monitoring.
      3. Select the State Upon Capacity Loss:
        • degraded—Specifies that the firewall will be in a DEGRADED state if the count of functional network cards or data processing cards goes below the configured Minimum Network Cards or Minimum Data Processing Cards, respectively. Furthermore:
          • A cluster node in DEGRADED state has traffic ports down, but is still a part of the sharded (fragmented) member table.
          • Data processing card resources of a DEGRADED cluster node can be used to process traffic and for Layer 7 processing.
          • A cluster node in INIT or ONLINE state transitions to DEGRADED state when a soft fault is reported to the cluster node state machine.
          • A cluster node in ONLINE state transitions to DEGRADED state (and a node in DEGRADED state remains in DEGRADED state) if you suspend the cluster node after a delay (using the CLI operational command: request cluster node state suspend). A delay allows data planes to gracefully complete Layer 7 processing or other processes that were underway.
          • If all soft faults are cleared, the cluster node transitions to INIT state.
          • If a hard fault occurs, a cluster node in DEGRADED state transitions to FAILED state.
          • A cluster node in DEGRADED state transitions to SUSPENDED state if the maximum number of state flaps is seen or you suspend the cluster node.
          • If a chassis has no functional data processing cards remaining (all DPC slots are powered off or in a FAILED state), the cluster node state will be FAILED, even if you configured degraded, because having no functional DPC is a hard fault.
        • failed—Specifies that the firewall will be in a FAILED state if the count of functional network cards or data processing cards goes below the configured Minimum Network Cards or Minimum Data Processing Cards, respectively. Furthermore:
          • A cluster node in FAILED state has traffic ports down and isn't part of the sharded member table.
          • Data processing card resources of a FAILED cluster node can't be used to process traffic or for Layer 7 processing.
          • A cluster node in INIT, ONLINE, or DEGRADED state transitions to FAILED state when a hard fault is reported to the cluster node state machine.
          • A cluster node in FAILED state transitions to INIT state if all hard faults are cleared.
          • A cluster node in FAILED state transitions to SUSPENDED state if the maximum number of state flaps is seen or you suspend the cluster node.
        NGFW Clusters provides a list of hard faults and soft faults.
      4. In the Minimum Chassis Capacity Required section, enter the Minimum Network Cards required; range is 1 to 7, default is 1. When fewer Network Cards than the configured value are functional, the firewall in the cluster goes to the State Upon Capacity Loss that you configured (degraded or failed).
      5. Enter the Minimum Data Processing Cards required; range is 1 to 7, default is 1. When fewer Data Processing Cards than the configured value are functional, the firewall in the cluster goes to the State Upon Capacity Loss that you configured (degraded or failed).
      6. Click OK.
    39. (Optional) Configure Log Forwarding for the PA-7500 Series firewall.
    40. Push the configuration from Panorama to the firewalls in the cluster.
      1. Commit and Commit and Push and Commit.
      2. Commit and Push to Devices, Push All Changes, select the cluster, and Push the configuration to both nodes.
    41. (PAN-OS 11.1.7 and later 11.1 releases) If you enabled multiple virtual systems for the Panorama device template, enable multiple virtual systems for an individual firewall.
      1. Log on to an individual firewall (not Panorama).
      2. Select DeviceSetupManagement.
      3. In General Settings, select Multi Virtual System Capability.
      4. Click OK.
      5. Repeat this step for the other firewall in the cluster.
    42. View NGFW cluster information for an individual firewall on its Dashboard.
      1. Log on to an individual firewall (not Panorama).
      2. Select Dashboard and for Widgets, select System Firewall Cluster to view the Firewall Cluster card, which displays the Cluster Name and Node ID.
    43. View NGFW Cluster Summary and Monitoring information and health for the cluster.

    Strata Cloud Manager

    Configure an NGFW cluster of two firewalls using Strata Cloud Manager.
    Use this process to configure an NGFW Cluster of up to two firewalls using Strata Cloud Manager.
    1. Select ConfigurationNGFW and Prisma Access.
    2. For the Configuration Scope, select a folder.
      The folder selection cannot be more than four levels deep.
    3. Create an NGFW cluster.
      1. Select Overview and in the Cluster Setup pane, select the gear icon or click on the number of clusters already configured.
      2. Select Clusters and Add Cluster.
      3. On the General tab, enter the Cluster Name containing zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces.
      4. (Optional) Enter the Group ID (in the range 1 to 63; the default is 1).
    4. Add devices to the cluster.
      1. On the Select Devices tab, select the Node 1 Device (a firewall to assign to the cluster).
      2. Select the Node 2 Device (the second firewall to assign to the cluster).
    5. Configure the HSCI-A and HSCI-B links.
      If the firewalls are directly connected via fibre, then MACSec configuration is optional. You may click Next to skip this step.
      If the firewalls are connected over a dark-fibre network between sites, MACSec configuration is mandatory.
      1. On the Communications tab, select the + and add an Inter Firewall Link by selecting hsci-a.
      2. Enter the Key Server Priority in the range 1 to 255.
      3. Select a MACsec Crypto Profile to apply to the link.
      4. Select a MACsec Pre Shared Key Profile to apply to the link.
      5. Repeat this step to configure the hsci-b link.
    6. Configure system monitoring for the NGFW cluster.
      1. On the System Monitoring tab, select the State Upon Capacity Loss: degraded or failed.
      2. Enter the Minimum Network Cards required; range is 1 to 7; default is 1.
      3. Enter the Minimum Data Processing Cards required; range is 1 to 7; default is 1.
      4. Save the configuration.
    7. Create a MACsec policy to apply to the HSCI ports.
      1. On the MACsec Profiles tab, Add MACsec Policy.
      2. Enter a Name for the profile, which contains zero or more alphanumeric characters, underscores (_), hyphens (-), or dots (.). The name is a maximum of 31 characters.
      3. Select the Encryption type: AES-128-GCM (default) or AES-256-GCM.
      4. Select the Confidentiality Offset to specify a number of bytes (starting from the frame header), after which MACsec encrypts the bytes in a frame. The value is 0 (default), 30, or 50.
      5. Enable SCI Include to include the Secure Channel Identifier (SCI) tag in the Security Tag field of the MACsec header. The default is disabled.
      6. Enable Anti Replay to enable replay protection. This allows a MACsec port to accept frames out of order if they are within the Anti Replay Window. The default is disabled.
      7. Enter the Anti Replay Window size in the range 0 to 65,535; the default is 16,384. This value determines the range of packet numbers that the port will accept, for packets that might be out of order. The port will accept packets with a packet number greater than or equal to the last packet number minus the window size. For example, after the port receives packet number 12, if the window is 5, the port will subsequently accept only packets numbered 7 or higher.
        Specify an Anti Replay window size based on the traffic rate because the HSCI ports will likely experience packets arriving out of order due to prioritization or load balancing in the network.
      8. Enter the SAK Rekey Interval (sec) in seconds; range is 60 to 86,400; default is 3,600. Connectivity Association participants negotiate a Secure Association agreement, which includes a cipher suite and keys. A Key Server generates a Secure Association Key (SAK) from the Connectivity Association Key (CAK); the SAK is refreshed at the SAK rekey interval. The end-to-end nodes use the SAK to encrypt traffic for a given session. To avoid the SAKs of all interfaces being refreshed at the same time, MACsec might spread the rekeying actions evenly by subtracting a small random number from the SAK rekey interval.
    8. Create a MACsec pre-shared key profile.
      1. On the MACsec Profiles tab, Add Pre Shared Key.
      2. Enter a Name for the pre shared key profile, which contains zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces. The name is a maximum of 31 characters.
      3. Enter the CKN (Connectivity Association Key Name) that identifies the Connectivity Association Key. The CKN is 1 byte to 32 bytes of hexadecimal string (2 to 64 hex digits) with an even number of digits; for example, 1234.
      4. Enter the CAK (Connectivity Association Key), which is a 16-byte hexadecimal string (32 hex digits) for AES-128-GCM, or a 32-byte hexadecimal string (64 hex digits) for AES-256-GCM. The CAK is used to generate all other keys used for MACsec. An example CAK for AES-128-GCM is 12345678912345678912345678912345. A CAK for AES-256-GCM is twice as long as a CAK for AES-128-GCM.
      5. Confirm CAK.
      6. Save the profiles.
    9. (PA-7500 only) Configure System Monitoring. Enter the parameters of the NGFW Clusters if components of the PA-7500 fail.
      1. State Upon Capacity Loss” is when the components such as NPCs, DPCs, PSUs fail, with two options being available.
        • “degraded” means the node is put into a degraded state <define with this means and the affect to traffic flow>
        • “failed” means the node is put into a failed state <define with this means and the affect to traffic flow>
      2. Define the “Minimum Network Cards” required to be active for the node to continue to participate in the NGFW Cluster, with the default value being 1.
      3. Define the “Minimum Data Processing Cards” required to be active for the node to continue to participate in the NGFW Cluster, with the default value being 1.
    10. Click “Save” to complete the workflow.
    11. Once the workflow is saved, it will take the operator back to the “Cluster Setup” screen. At this point.
      1. Choose the new cluster, click “Initiate Clustering”
      2. At the validation menu, click “Yes”
        Strata Cloud Manager sends OP command to the devices to make them node 1 and node 2 from the default node 0 (i.e. unclustered) state. This should trigger an automatic reboot of both devices, however in some circumstances a manual reboot will be required.
    12. Once the devices are up and active after their reboot, check each node that there are cluster mode by connecting to each NGFW device:

    Remove a Device from an NGFW Cluster

    Use this procedure to remove a single firewall from an NGFW Cluster using Strata Cloud Manager.
    1. Select ConfigurationNGFW and Prisma Access.
    2. For the Configuration Scope, select a folder.
      The folder selection cannot be more than four levels deep.
    3. Remove a device from an NGFW cluster.
      1. Select Overview and in the Cluster Setup pane, click the cluster name to open the workflow.
      2. Select Clusters and Add Cluster.
      3. On the General tab, enter the Cluster Name containing zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces.
      4. (Optional) Enter the Group ID (in the range 1 to 63; the default is 1).
    4. Click the “Cluster Setup” under the cluster folder for the device and click on the cluster name to open up the workflow.
    5. Click to the “Step 2 Select Devices” screen and unselect the device in the “Select Node 2 Device” panel. For this, you may need to toggle the devices in “Select Node 1 Device” panel to unselect/unhighlight the device in Node 2
    6. Click “Save”.
    7. After you click “Save”, the workflow will be closed and then the device will be removed from the cluster folder.
      Strata Cloud Manager sends OP command to the node 2 device to make to node 0 (i.e. unclustered) state. This should trigger an automatic reboot of the node 2 device, however in some circumstances a manual reboot will be required.
    8. Once the devices are up and active after their reboot, connect to node 2 directly and check that it is no longer in cluster mode:
    1. Log in to the Panorama Web Interface.
    2. Create an NGFW cluster.
      1. Select PanoramaFirewall ClustersCreate Cluster.
      2. Enter a Cluster Name containing zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces.
      3. Select Cluster Type as PA.
      4. Click OK.
    3. Add the firewalls to the cluster.
      1. Select PanoramaFirewall ClustersSummary View and select the cluster you created.
      2. Enter a Group ID in the range 1 to 63; the default is 1.
      3. Select the two firewalls to assign to the cluster. The first firewall you select automatically becomes Node 1.
      4. Click OK.
      5. View the firewalls in the cluster by selecting PanoramaFirewall ClustersSummary View and selecting the cluster you created. The General tab displays nonconfigurable fields: Device serial number and Node ID (1 or 2). Click OK to close the window.
      6. Select Commit to Panorama and Commit. Both firewalls are rebooted and get assigned a Node ID, the existing configuration (policy, network, etc.) is cleared, and the firewalls are connected back to Panorama.
      7. Select Push to Devices, select Push All Changes, select the newly created firewall cluster, and Push.
    4. (Optional) Verify the cluster state and node state.
      1. Access the CLI.
      2. > show cluster leader
      3. > show cluster local node-id
      4. > show cluster local state
      5. > show cluster all
      6. > exit
    5. Log in to the Panorama Web Interface.
    6. View the Config Sync Status.
      1. Select PanoramaFirewall ClustersSummary View and select PA-Series.
      2. View the Config Sync Status. After the Commit All is successful, the firewalls have a Config Sync Status of In Sync.
    7. Add a cluster template.
      1. Select PanoramaTemplates and Add a template.
      2. Enter a Name and Description of the template.
      3. Enable clustering. You must enable clustering when you first create the template; you can't go back to enable clustering later.
      4. Click OK.
    8. Create a template stack.
      1. Select PanoramaTemplatesAdd Stack.
      2. Enter a Name for the template stack.
      3. In the Devices section, select the two firewalls in the cluster.
      4. In the Templates section, Add the template you created.
      5. Enable clustering. You must enable clustering when you first create the template stack; you can't go back to enable clustering later. (If you don't Enable clustering for the template stack now, it won't match the template and an Operation Failed message appears.)
      6. Click OK.
    9. Add a device group.
      1. Select PanoramaDevice GroupsAdd.
      2. Enter a Name for the device group.
      3. In the Devices section, select the Names of the two firewalls in the cluster.
      4. In the Reference Templates section, Add the template stack that you created.
      5. Click OK.
    10. Commit to Panorama and Commit to apply your configuration in Panorama.
    11. (Two-node cluster only) Verify that the management interface permits the same IP addresses on the two nodes. The firewalls use the management interface to exchange heartbeats to detect and avoid a split-brain situation.
      1. Select DeviceSetupInterfaces.
      2. In the Template field, select your template.
      3. Select the Management interface.
      4. If you added Permitted IP Addresses on one of the nodes, you must also permit the same IP addresses on the peer node. Each node must be able to reach the management interface of the peer node. (If you deny the IP address or network of the peer, split brain detection won't work.)
      5. Click OK.
    12. Configure the template.
      1. Select Network
      2. In the Template field, select your template.
    13. To configure the orphan port, configure a Layer 3 interface on the firewall that connects to the client.
      1. Select NetworkInterfacesCluster Ethernet and Add Interface.
      2. Select the Node ID (1 for this example).
      3. Select the Slot (Slot 4).
      4. Select the Interface Name, for example, node1:ethernet4/6.
      5. Select the Interface Type as Layer3.
      6. On the Config tab, create a Logical Router by adding a Name; click OK.
      7. Create a Security Zone, such as client.
      8. Select IPv4, select the Type as Static, for example, and Add the IPv4 address with netmask (10.1.1.1/24 in this example).
        Alternatively, select IPv6, Enable IPv6 on the interface, select the Type as Static, and Add the IPv6 Address with network prefix length. This task example uses static IP addressing; NGFW clustering also supports DHCP, DHCPv6, PPPoE, and PPPoEv6.
      9. Select the Advanced tab and then the Other Info tab.
      10. For Management Profile, create a new Interface Management profile to allow access to the interface. Select the management and network services allowed (such as HTTPS, SSH, and Ping) and click OK.
      11. Click OK.
    14. Configure the other orphan port on node 2, Slot 2, node2:ethernet2/19, using IP address 10.1.2.1/24 for the interface that faces the server. Create a different security zone. The gray path in the example topology is configured.
    15. Configure the AE interface (MC-LAG) for the client-facing interface on Node 1.
      1. Select NetworkInterfacesCluster Ethernet and Add Aggregate Group.
      2. For Interface Name, next to ae, enter the interface number (in this example, 1).
      3. Select Interface Type as Layer3.
      4. On the Config tab, select the same Logical Router.
      5. Select the Security Zone.
      6. Click OK.
      7. Select IPv4, select the Type as Static, and Add the IPv4 address with netmask (10.1.7.1/24 in this example).
      8. (Optional) Configure LACP settings if you want to enable LACP for the aggregate group.
      9. Select the Advanced tab and then the Other Info tab.
      10. For Management Profile, create a new Interface Management profile to allow access to the interface. Select the services allowed and click OK.
      11. Click OK.
    16. Configure the AE interface (MC-LAG) for the server-facing interface for Node 1. For this interface, follow similar substeps as in the prior step, but configure AE2, add the IP address (10.1.8.1/24), the same logical router, and a server Security zone.
    17. Add an interface member to the MC-LAG on the client side.
      1. Select NetworkInterfacesCluster Ethernet and Add Interface.
      2. On the Cluster Ethernet Interface, select the Node ID Node 1.
      3. Select the Slot (Slot 2).
      4. Select the Interface Name, for example, node1:ethernet2/1.
      5. Select the Interface Type as Aggregate Ethernet.
      6. Select the Aggregate Group, such as ae1.
      7. Click OK.
    18. Add a second interface member to the MC-LAG on the client side, assigning Node ID as Node 2, Slot 2, node2:ethernet2/11. Select the same Aggregate Group (ae1).
    19. Add an interface member to the MC-LAG on the server side. Select Node 1, Slot 4, node1:ethernet4/16. Select the Aggregate Group, ae2.
    20. Add a second interface member to the MC-LAG on the server side, assigning it to Node 2, Slot 6, node2:ethernet6/16. Select the Aggregate Group, such as ae2.
    21. (PAN-OS 11.1.5 and later 11.1 releases) Prepare to configure MACsec for the HSCI ports by creating a MACsec profile.
      IMPORTANT: When you migrate from a non-MACsec cluster to a MACsec cluster, you must do so during a maintenance window.
      1. Select NetworkNetwork ProfilesMACsec Profile and select MACsec Policy.
      2. Add a MACsec crypto profile by Name, which contains zero or more alphanumeric characters, underscores (_), hyphens (-), or dots (.). The Name is a maximum of 31 characters.
      3. Select the Encryption type: AES-128-GCM (default) or AES-256-GCM.
      4. Select the Confidentiality Offset to specify a number of bytes (starting from the frame header), after which MACsec encrypts the bytes in a frame. Values are 0 (default), 30, or 50.
      5. Enable SCI Include to include the Secure Channel Identifier (SCI) tag in the Security Tag field of the MACsec header. The default is disabled.
      6. Enable Anti Replay to enable replay protection. This allows a MACsec port to accept frames out of order if they are within the Anti Replay Window. The default is disabled.
      7. Specify the Anti Replay Window size in the range 0 to 65,535; the default is 16,384. This value determines the range of packet numbers that the port will accept, for packets that might be out of order. The port will accept packets with a packet number greater than or equal to the last packet number minus the window size. For example, after the port receives packet number 12, if the window is 5, the port will subsequently accept only packets numbered 7 or higher.
        Specify an Anti Replay window size based on the traffic rate because the HSCI ports will likely experience packets arriving out of order due to prioritization or load balancing in the network.
      8. Specify the SAK Rekey Interval (sec) in seconds; range is 60 to 86,400; default is 3,600. Connectivity Association participants negotiate a Secure Association agreement, which includes a cipher suite and keys. A Key Server generates a Secure Association Key (SAK) from the Connectivity Association Key (CAK); the SAK is refreshed at the SAK rekey interval. The end-to-end nodes use the SAK to encrypt traffic for a given session. To avoid the SAKs of all interfaces being refreshed at the same time, MACsec might spread the rekeying actions evenly by subtracting a small random number from the SAK rekey interval.
      9. Click OK.
    22. (PAN-OS 11.1.5 and later 11.1 releases) Create a MACsec Pre Shared Key Profile.
      1. Select NetworkNetwork ProfilesMACsec Profile and select Pre Shared Key.
      2. Add a MACsec Pre Shared Key Profile by Name, which contains zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces. The Name is a maximum of 31 characters.
      3. Enter the CKN (Connectivity Association Key Name) that identifies the Connectivity Association Key. The CKN is 1 byte to 32 bytes of hexadecimal string (2 to 64 hex digits) with an even number of digits; for example, 1234.
      4. Enter the CAK (Connectivity Association Key), which is a 16-byte hexadecimal string (32 hex digits) for AES-128-GCM, or a 32-byte hexadecimal string (64 hex digits) for AES-256-GCM. The CAK is used to generate all other keys used for MACsec. An example CAK for AES-128-GCM is 12345678912345678912345678912345. A CAK for AES-256-GCM is twice as long as a CAK for AES-128-GCM.
        The Pre Shared Key, CKN, and CAK must match on the two ends of the HSCI-A link. Likewise, the Pre Shared Key, CKN, and CAK must match on the two ends of the HSCI-B link.
      5. Click OK.
    23. (PAN-OS 11.1.5 and later 11.1 releases) Commit to Panorama.
    24. (PAN-OS 11.1.5 and later 11.1 releases) Push to Devices and Push Templates so that the devices have the MACsec profiles, thus allowing you to later push the cluster configuration with MACsec enabled.
    25. (PAN-OS 11.1.5 and later 11.1 releases) Identify the leader node and nonleader node.
      1. Access the CLI on one of the firewall nodes. (If you already know which node is the nonleader, access the CLI on the nonleader node.)
      2. >show cluster nodes
    26. (PAN-OS 11.1.5 and later 11.1 releases) Suspend the nonleader node.
      1. Access the CLI on the nonleader node.
      2. >request cluster node state suspend
        The suspension takes approximately 120 seconds (the default delay value).
    27. (PAN-OS 11.1.5 and later 11.1 releases) Confirm the nonleader node is suspended.
      1. >show cluster nodes
    28. (PAN-OS 11.1.5 and later 11.1 releases) Apply your MACsec profiles to the HSCI-A and HSCI-B ports.
      1. Select PanoramaFirewall Clusters and select Summary View.
      2. Select PA-Series or All Clusters.
      3. Select a Cluster Name to edit the cluster.
      4. Select Communications.
      5. Select hsci-a and enter the Key Server Priority in the range from 0 to 255; the default is 16. The lower the value, the higher the priority of the Key Server.
        If the priority values for the HSCI-A links on the two nodes are equal, the node with the lower MAC address is the Key Server. The Key Server (one of the nodes in the cluster) selects and advertises a cipher suite, and also generates the SAK from the CAK.
      6. For Crypto Profile, select the MACsec crypto profile you created or select the default profile.
      7. For Pre Shared Key Profile, select the profile you created.
      8. Select hsci-b and perform the same steps to assign a Key Server Priority and apply the crypto profile and pre-shared key Profile to the port.
      9. Click OK.
    29. (PAN-OS 11.1.5 and later 11.1 releases) Commit, Commit to Panorama, and Commit.
    30. (PAN-OS 11.1.5 and later 11.1 releases) Push to Devices and Push , which enables MACsec on the ports.
    31. (PAN-OS 12.1.2 and later 12.1 releases) (Optional) If you renamed the MACsec key profile or replaced the MACsec pre-shared key and your commit fails, select Edit Selections and perform the following substeps:
      1. If you need to push a device group configuration, perform these next three substeps. Select the Device Groups tab. Select the affected device group or groups. Select Include Device and Network Templates. Select Include Firewalls Clusters.
      2. Select the Templates tab and deselect the affected template.
      3. Select the Firewall Clusters tab. Deselect Filter Selected. Deselect the affected cluster.
      4. If you need to push the template configuration, perform these next three substeps. Select the Device Groups tab and deselect the affected device group.
      5. Select the Templates tab and select the affected template. Select Include Firewall Clusters.
      6. Select the Firewall Clusters tab. Deselect Filter Selected. Deselect the affected cluster.
      7. Now that you have edited the selections, repeat Steps 29 and 30 to commit and push your changes.
    32. (PAN-OS 11.1.5 and later 11.1 releases) Confirm MACsec is enabled on both ports.
      1. Access the CLI.
      2. >show macsec mka session interface hsci-a
      3. >show macsec mka session interface hsci-b
    33. (PAN-OS 11.1.5 and later 11.1 releases) Unsuspend the nonleader node.
      1. Access the CLI on the nonleader node.
      2. >request cluster node state unsuspend
        It takes a few minutes to unsuspend the nonleader node; the length of time depends on the traffic level.
    34. (PAN-OS 11.1.5 and later 11.1 releases) Verify that both nodes are online.
      1. >show cluster nodes
    35. (PAN-OS 11.1.7 and later 11.1 releases) (Optional) Enable multiple virtual systems for the firewalls in the template.
      1. Select DeviceVirtual Systems and select the Template by name.
      2. For Mode, select Multi VSYS.
    36. Create Security policy rules.
      1. Select Policies and select the Device Group.
      2. Create Security policy rules to control access, such as allowing a specific source zone, destination zone, address, user, device, application, and service.
    37. Configure routing and other features your firewalls require (except for HA). Refer to the PAN-OS Administrator's Guide and the PAN-OS Networking Administrator's Guide.
    38. Configure system monitoring for the NGFW cluster.
      1. Select PanoramaFirewall ClustersSummary View and select a cluster or a single firewall in the cluster.
      2. Select System Monitoring.
      3. Select the State Upon Capacity Loss:
        • degraded—Specifies that the firewall will be in a DEGRADED state if the count of functional network cards or data processing cards goes below the configured Minimum Network Cards or Minimum Data Processing Cards, respectively. Furthermore:
          • A cluster node in DEGRADED state has traffic ports down, but is still a part of the sharded (fragmented) member table.
          • Data processing card resources of a DEGRADED cluster node can be used to process traffic and for Layer 7 processing.
          • A cluster node in INIT or ONLINE state transitions to DEGRADED state when a soft fault is reported to the cluster node state machine.
          • A cluster node in ONLINE state transitions to DEGRADED state (and a node in DEGRADED state remains in DEGRADED state) if you suspend the cluster node after a delay (using the CLI operational command: request cluster node state suspend). A delay allows data planes to gracefully complete Layer 7 processing or other processes that were underway.
          • If all soft faults are cleared, the cluster node transitions to INIT state.
          • If a hard fault occurs, a cluster node in DEGRADED state transitions to FAILED state.
          • A cluster node in DEGRADED state transitions to SUSPENDED state if the maximum number of state flaps is seen or you suspend the cluster node.
          • If a chassis has no functional data processing cards remaining (all DPC slots are powered off or in a FAILED state), the cluster node state will be FAILED, even if you configured degraded, because having no functional DPC is a hard fault.
        • failed—Specifies that the firewall will be in a FAILED state if the count of functional network cards or data processing cards goes below the configured Minimum Network Cards or Minimum Data Processing Cards, respectively. Furthermore:
          • A cluster node in FAILED state has traffic ports down and isn't part of the sharded member table.
          • Data processing card resources of a FAILED cluster node can't be used to process traffic or for Layer 7 processing.
          • A cluster node in INIT, ONLINE, or DEGRADED state transitions to FAILED state when a hard fault is reported to the cluster node state machine.
          • A cluster node in FAILED state transitions to INIT state if all hard faults are cleared.
          • A cluster node in FAILED state transitions to SUSPENDED state if the maximum number of state flaps is seen or you suspend the cluster node.
        NGFW Clusters provides a list of hard faults and soft faults.
      4. In the Minimum Chassis Capacity Required section, enter the Minimum Network Cards required; range is 1 to 7, default is 1. When fewer Network Cards than the configured value are functional, the firewall in the cluster goes to the State Upon Capacity Loss that you configured (degraded or failed).
      5. Enter the Minimum Data Processing Cards required; range is 1 to 7, default is 1. When fewer Data Processing Cards than the configured value are functional, the firewall in the cluster goes to the State Upon Capacity Loss that you configured (degraded or failed).
      6. Click OK.
    39. (Optional) Configure Log Forwarding for the PA-7500 Series firewall.
    40. Push the configuration from Panorama to the firewalls in the cluster.
      1. Commit and Commit and Push and Commit.
      2. Commit and Push to Devices, Push All Changes, select the cluster, and Push the configuration to both nodes.
    41. (PAN-OS 11.1.7 and later 11.1 releases) If you enabled multiple virtual systems for the Panorama device template, enable multiple virtual systems for an individual firewall.
      1. Log on to an individual firewall (not Panorama).
      2. Select DeviceSetupManagement.
      3. In General Settings, select Multi Virtual System Capability.
      4. Click OK.
      5. Repeat this step for the other firewall in the cluster.
    42. View NGFW cluster information for an individual firewall on its Dashboard.
      1. Log on to an individual firewall (not Panorama).
      2. Select Dashboard and for Widgets, select System Firewall Cluster to view the Firewall Cluster card, which displays the Cluster Name and Node ID.
    43. View NGFW Cluster Summary and Monitoring information and health for the cluster.

    © 2026 Palo Alto Networks, Inc. All rights reserved.