To set up active/active HA on your firewalls, you need
a pair of firewalls that meet the following requirements:
The same model
in the pair must be of the same hardware model.
The same PAN-OS version
—The firewalls must be running
the same PAN-OS version and must each be up-to-date on the application,
URL, and threat databases.
The same multi virtual system capability
Multi Virtual System Capability
or not enabled. When enabled, each firewall requires its own multiple virtual
The same type of interfaces
—Dedicated HA links, or
a combination of the management port and in-band ports that are
set to interface type HA.
The HA interfaces must be configured with static IP addresses
only, not IP addresses obtained from DHCP (except AWS can use DHCP
addresses). Determine the IP address for the HA1 (control) connection
between the HA peers. The HA1 IP address for the peers must be on the
same subnet if they are directly connected or are connected to the same
For firewalls without dedicated HA ports, you can
use the management port for the control connection. Using the management
port provides a direct communication link between the management
planes on both firewalls. However, because the management ports
will not be directly cabled between the peers, make sure that you
have a route that connects these two interfaces across your network.
If you use Layer 3 as the transport method for the HA2 (data) connection,
determine the IP address for the HA2 link. Use Layer 3 only if the
HA2 connection must communicate over a routed network. The IP subnet
for the HA2 links must not overlap with that of the HA1 links or
with any other subnet assigned to the data ports on the firewall.
Each firewall needs a dedicated interface for the HA3 link.
The PA-7000 Series, PA-5450, and PA-3200 Series firewalls use the
HSCI port for HA3. The PA-5200 Series firewalls can use the HSCI
port for HA3 or you can configure aggregate interfaces on the dataplane
ports for HA3 for redundancy. On the remaining platforms, you can
configure aggregate interfaces on dataplane ports as the HA3 link
The same set of licenses
—Licenses are unique to each firewall
and cannot be shared between the firewalls. Therefore, you must
license both firewalls identically. If both firewalls do not have
an identical set of licenses, they cannot synchronize configuration
information and maintain parity for a seamless failover.
you have an existing firewall and you want to add a new firewall
for HA purposes and the new firewall has an existing configuration,
it is recommended that you Reset
the Firewall to Factory Default Settings on the new firewall.
This will ensure that the new firewall has a clean configuration.
After HA is configured, you will then sync the configuration on
the primary firewall to the newly introduced firewall with the clean
config. You will also have to configure local IP addresses.