To set up high availability on your Palo Alto Networks
firewalls, you need a pair of firewalls that meet the following
The same model
firewalls in the pair must be of the same hardware model or virtual
The same PAN-OS version
—Both the firewalls should
be running the same PAN-OS version and must each be up-to-date on
the application, URL, and threat databases.
The same multi virtual system capability—Both firewalls must
Multi Virtual System Capability
enabled or not enabled. When enabled, each firewall requires its
own multiple virtual systems licenses.
The same type of interfaces
—Dedicated HA links, or
a combination of the management port and in-band ports that are
set to interface type HA.
Determine the IP address for the HA1 (control) connection
between the HA peers. The HA1 IP address for both peers must be
on the same subnet if they are directly connected or are connected to
the same switch.
For firewalls without dedicated HA ports,
you can use the management port for the control connection. Using
the management port provides a direct communication link between
the management planes on both firewalls. However, because the management
ports will not be directly cabled between the peers, make sure that
you have a route that connects these two interfaces across your
If you use Layer 3 as the transport method for the HA2 (data)
connection, determine the IP address for the HA2 link. Use Layer
3 only if the HA2 connection must communicate over a routed network. The
IP subnet for the HA2 links must not overlap with that of the HA1
links or with any other subnet assigned to the data ports on the
The same set of licenses
—Licenses are unique to each
firewall and cannot be shared between the firewalls. Therefore,
you must license both firewalls identically. If both firewalls do
not have an identical set of licenses, they cannot synchronize configuration
information and maintain parity for a seamless failover.
As a best practice, if you have an existing
firewall and you want to add a new firewall for HA purposes and
the new firewall has an existing configuration Reset
the Firewall to Factory Default Settings on the new firewall.
This ensures that the new firewall has a clean configuration. After
HA is configured, you will then sync the configuration on the primary
firewall to the newly introduced firewall with the clean configuration.