Configure HA Clustering
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure HA Clustering
Configure HA clustering on up to 16 firewalls to protect
against failure of data center communications or to achieve horizontal
scaling.
Learn about HA clustering and
follow the HA Clustering Best Practices and Provisioning before
you configure HA firewalls as members of a cluster.
- Establish an interface as an HA interface (to later assign as the HA4 link).
- Select NetworkInterfacesEthernet and select an interface; for example, ethernet1/1.Select the Interface Type to be HA.Click OK.Repeat this step to configure another interface to use as the HA4 backup link.Enable HA clustering.
- Select DeviceHigh AvailabilityGeneral and edit the Clustering Settings.Enable Cluster Participation.Enter the Cluster ID, a unique numeric ID for an HA cluster in which all members can share session state; range is 1 to 99.Enter a short, helpful Cluster Description.(Optional) Change Cluster Synchronization Timeout (min), which is the maximum number of minutes that the local firewall waits before going to Active state when another cluster member (for example, in unknown state) is preventing the cluster from fully synchronizing; range is 0 to 30; default is 0.(Optional) Change Monitor Fail Hold Down Time (min), which is the number of minutes after which a down link is retested to see if it is back up; range is 1 to 60; default is 1.Click OK.Configure the HA4 link.
- Select HA Communications and in the Clustering Links section, edit the HA4 section.Select the interface you configured in the first step as an HA interface to be the Port for the HA4 link; for example, ethernet1/1.Enter the IPv4/IPv6 Address of the local HA4 interface.Enter the Netmask.(Optional) Change the HA4 Keep-alive Threshold (ms) to specify the timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional; range is 5,000 to 60,000; default is 10,000.Click OK.Configure the HA4 Backup link.
- Edit the HA4 Backup section.Select the other interface you configured in the first step as an HA interface to be the Port for the HA4 backup link.Enter the IPv4/IPv6 Address of the local HA4 backup interface.Enter the Netmask.Click OK.Specify all members of the HA cluster, including the local member and both HA peers in any HA pair.
- Select Cluster Config.(On a supported firewall) Add a peer member’s Device Serial Number.(On Panorama) Add and select a Device from the dropdown and enter a Device Name.Enter the HA4 IP Address of the HA peer in the cluster.Enter the HA4 Backup IP Address of the HA peer in the cluster.Enable Session Synchronization with the peer you identified.(Optional) Enter a helpful Description.Click OK.Select the device and Enable it.Define HA failover conditions with link and path monitoring.Commit.(Panorama only) Refresh the list of HA firewalls in the HA cluster.
- Under Templates, select DeviceHigh AvailabilityCluster Config.Click Refresh at the bottom of the screen.View HA cluster information in the UI.
- Select Dashboard.View the HA cluster fields. The top section displays cluster state and HA4 connections to provide cluster health at a glance. The HA4 and HA4 Backup indicators will be one of the following: Green indicates the link status of the cluster members is Up. Red indicates the link status of all the cluster members is Down. Yellow indicates the link status of some cluster members is Up while the status of other cluster members is Down. Grey indicates not configured. The center section displays the capacity of the local session table and session cache table so you can monitor how full the tables are and plan for firewall upgrades. The lower section displays communication errors on the HA4 and HA4 backup links, signifying possible problems with synchronizing information between members.Access the CLI to view HA cluster and HA4 link information and perform other HA clustering tasks.You can view HA cluster flap statistics. The cluster flap count is reset when the HA device moves from suspended to functional and vice versa. The cluster flap count also resets when the non-functional hold time expires.