Data centers need very high levels of network bandwidth and reliability. Beginning with PAN-OS 11.1.3, PA-7500 Series firewalls support an NGFW cluster of two firewalls that provide redundancy in the event of a link failure, card failure, or chassis failure.

The two firewalls in the NGFW cluster function in a new mode of operation to provide high availability. The NGFW cluster blends the legacy HA active/active and active/passive solutions into a single HA solution, reducing the complexity of multiple HA connections (HA1, HA2, and HA3) to a single High Speed Chassis Interconnect (HSCI) connection. The firewalls maintain a dual active data plane with a single active control plane. Neighboring devices see the NGFW cluster as a single Layer 2 or Layer 3 device. The NGFW cluster solution reduces failover time (compared to legacy HA), increases resiliency, and supports a multichassis link aggregation group (MC-LAG). The graphic illustrates a physical topology compared to a virtual topology.

The PA-7500 Series firewalls in a cluster are as easy to configure as an HA active/passive pair was, while they provide the benefits of an active/active solution with extremely fast failover time (less than one second). Configuration through Panorama contributes to the ease of implementation. The pair of firewalls in the NGFW cluster increase port availability, require fewer IP addresses (there are no floating IP addresses), and they rely on open standards. NGFW clustering easily integrates with Layer 3 and virtual wire devices, including those running in a Cisco VPC, Arista MLAG, and Juniper QFX.

The goal of the two firewalls in the NGFW cluster is redundancy; the supported capacity of the pair is one node, not two nodes. The session capacity and all control plane functions remain the same as a single standalone device. The PA-7500 Next-Gen Firewall Hardware Reference provides hardware information.

Learn about the elements of an NGFW cluster.