Next-Generation Firewall
Panorama > Firewall Clusters
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Panorama > Firewall Clusters
Configure and view CN-Series and PA-Series clusters.
- PanoramaFirewall Clusters
(Available on CN-Series and PA-7500 Series Firewalls Only) Create and configure
a CN-Series or PA-Series firewall cluster, view the cluster summary, and monitor health
information in Panorama under Firewall
Clusters. Only PA-7500 Series firewalls support PA-Series firewall
clusters.
You must install a Panorama Clustering plugin version (that is
compatible with the PAN-OS version) from DevicePlugins to view the cluster details under Firewall
Clusters.
Create and Edit a Firewall Cluster
Select Create Cluster to create a cluster and specify the
type; click OK. Then select the cluster to access the Edit Cluster screen, where you
select the members and further configure the cluster.
To control which clusters are displayed for editing, in the
Clusters field, select CN-Series,
PA-Series, or All Clusters.
Field | Description |
---|---|
Cluster Name
|
Enter a cluster name containing zero or more alphanumeric
characters, underscores (_), hyphens (-), dots (.), or
spaces.
|
Cluster Type
|
Select the type of cluster: CN (CN-Series
cluster) or PA (PA-Series cluster, which
is an NGFW cluster).
|
Description
|
Enter a description of the cluster.
|
Group ID
|
Enter a Group ID in the range 1 to 63; default is 1. The Group ID
helps differentiate MAC addresses when two HA pairs (or an HA
pair and an NGFW cluster) in the same Layer 2 network share MAC
addresses.
|
Members
|
Select the members of the cluster
For a PA-Series cluster:
|
General
| |
Device
|
(PA-Series Clusters only) Device serial number; not
configurable.
|
ID
|
(PA-Series Clusters only) Node ID (1 or 2); not
configurable. The node that you select first when selecting
cluster members automatically becomes Node 1.
|
Communications
| |
(PA-Series Clusters
only) [Reserved for future use.]
| |
Inter Firewall Link
(PAN-OS 11.1.5 and later releases)
|
(PA-Series Clusters only) Select
hsci-a to apply the Key Server
Priority, Crypto Profile, and Pre Shared Key to that link. Then
select hsci-b to apply the Key Server
Priority, Crypto Profile, and Pre Shared Key to that link.
|
Key Server Priority
(PAN-OS 11.1.5 and later releases)
|
(PA-Series Clusters only) Enter the priority of the key
server in the range from 0 to 255; default is 16. The lower the
value, the higher the priority of the Key Server.
If the priority values for the HSCI-A
links on the two nodes are equal, the node with the lower MAC
address is the Key Server. The same is true of the priority
values for the HSCI-B links. The Key Server (one of the nodes in
the cluster) selects and advertises a cipher suite, and also
generates the SAK from the CAK. |
Crypto Profile
(PAN-OS 11.1.5 and later releases)
|
(PA-Series Clusters only) Select the MACsec Crypto
Profile you created or select the default
profile.
|
Pre Shared Key Profile
(PAN-OS 11.1.5 and later releases)
|
(PA-Series Clusters only) Select the Pre Shared Key
profile you created.
|
System Monitoring
| |
State Upon Capacity Loss
|
(PA-Series Clusters only) Select one of the
following:
|
Minimum Network Cards
|
(PA-Series Clusters only) Minimum number of network
cards required to be functional; range is 1 to 7, default is 1.
If the cluster drops below this minimum, the cluster state
transitions to the State Upon Capacity Loss that you configured
(degraded or failed).
|
Minimum Data Processing Cards
|
(PA-Series Clusters only) Minimum number of data
processing cards required to be functional; range is 1 to 7,
default is 1. If the cluster drops below this minimum, the
cluster state transitions to the State Upon Capacity Loss that
you configured (degraded or failed).
|
Summary View
View CN-Series and PA-Series firewall cluster summary.
View the information about the CN-Series or PA-Series clusters captured by the firewall in the
last five minutes. Click the refresh button to load the latest details.
The cluster plugin visibility data is not in real time; it's
delayed by a maximum of five minutes.
Field | Description |
---|---|
Cluster Name | Name of the firewall cluster. |
Software Version | PAN-OS version. |
Plugins Used on the Cluster | List of plugins used on the cluster. |
Template Stack | Name of the template stack associated with
the cluster. |
Device Group | Name of the device group associated with
the cluster. |
Cluster State |
(CN-Series cluster only) Displays whether the cluster is
impacted or not.
(PA-Series cluster only) Displays the health of the
cluster, which is derived from Node Status of all nodes in the
cluster. Cluster state will be:
|
Cluster Type | Type of cluster (CN or PA). |
Members Affected | Number of impacted cluster members and their names. |
System Log Details | Details of the system events. |
Specific Error | List of specific errors in the cluster.
Click the link to view more details about the error under MonitorLogsSystem where
you can view logs. |
Pod Name
| (CN-Series cluster only) Name of the pod. |
CPU Count
|
Number of CPUs used.
|
Config Sync Status
|
(PA-Series Clusters only) Config synchronization status
between Panorama and the firewalls in the PA cluster. Status can
be In Sync or Out of Sync. After you successfully add firewalls
to the cluster, commit, and push, the Config Sync Status
displays as In Sync.
|
Last Commit State
|
(PA-Series Clusters only) State of the last attempted
commit:
|
Node Sync Status
|
(PA-Series Clusters only) Synchronization status of the
Node Flow Table:
|
Node Status
|
(PA-Series Clusters only) Possible status (states) of a
cluster node:
|
Monitoring
View CN-Series and PA-Series firewall cluster monitoring information.
View the CN-Series or PA-Series firewall cluster health information.
The cluster plugin visibility data is not in real
time.
Field | Description |
---|---|
Managed Software Cluster
|
Select a firewall cluster.
|
Impacted | List of impacted firewall clusters.
Click to view detailed information about the clusters in the
Interconnect Status and
Cluster Utilization dashboards. |
OK | List of firewall clusters that are not impacted.
Click to view detailed information about the clusters in the
Interconnect Status and
Cluster Utilization dashboards. |
Interconnect Status | View the cluster interconnect details for a selected time frame. Select Last 5 Mins to view the following details.
Selecting any time frame other than Last 5 Mins displays the following
information only.
|
Cluster Utilization | View the firewall cluster throughput, memory, and data utilization.
|