Panorama > Firewall Clusters
Table of Contents
11.1
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Panorama > Firewall Clusters
Configure and view CN-Series and PA-Series clusters.
- PanoramaFirewall Clusters
(Available on CN-Series and PA-7500 Series Firewalls Only) Create and configure
a CN-Series or PA-Series firewall cluster, view the cluster summary, and monitor health
information in Panorama under Firewall
Clusters. Only PA-7500 Series firewalls support PA-Series firewall
clusters.
You must install a Panorama Clustering plugin version (that is
compatible with the PAN-OS version) from DevicePlugins to view the cluster details under Firewall
Clusters.
Create and Edit a Firewall Cluster
Select Create Cluster to create a cluster and specify the
type; click OK. Then select the cluster to access the Edit Cluster screen, where you
select the members and further configure the cluster.
To control which clusters are displayed for editing, in the
Clusters field, select CN-Series,
PA-Series, or All Clusters.
Field | Description |
---|---|
Cluster Name
|
Enter a cluster name containing zero or more alphanumeric
characters, underscores (_), hyphens (-), dots (.), or
spaces.
|
Cluster Type
|
Select the type of cluster: CN (CN-Series
cluster) or PA (PA-Series cluster, which
is an NGFW cluster).
|
Description
|
Enter a description of the cluster.
|
Group ID
|
Enter a Group ID in the range 1 to 63; default is 1. The Group ID
helps differentiate MAC addresses when two HA pairs (or an HA
pair and an NGFW cluster) in the same Layer 2 network share MAC
addresses.
|
Members
|
Select the members of the cluster
For a PA-Series cluster:
|
General
| |
Device
|
(PA-Series Clusters only) Device serial number; not
configurable.
|
ID
|
(PA-Series Clusters only) Node ID (1 or 2); not
configurable. The node that you select first when selecting
cluster members automatically becomes Node 1.
|
Communications
| |
Inter Firewall Link
(PAN-OS 11.1.5 and later releases)
|
(PA-Series Clusters only) Select
hsci-a to apply the Key Server
Priority, Crypto Profile, and Pre Shared Key to that link. Then
select hsci-b to apply the Key Server
Priority, Crypto Profile, and Pre Shared Key to that link.
|
Key Server Priority
(PAN-OS 11.1.5 and later releases)
|
(PA-Series Clusters only) Enter the priority of the key
server in the range from 0 to 255; default is 16. The lower the
value, the higher the priority of the Key Server.
If the priority values for the HSCI-A
links on the two nodes are equal, the node with the lower MAC
address is the Key Server. The same is true of the priority
values for the HSCI-B links. The Key Server (one of the nodes in
the cluster) selects and advertises a cipher suite, and also
generates the SAK from the CAK. |
Crypto Profile
(PAN-OS 11.1.5 and later releases)
|
(PA-Series Clusters only) Select the MACsec Crypto
Profile you created or select the default
profile.
|
Pre Shared Key Profile
(PAN-OS 11.1.5 and later releases)
|
(PA-Series Clusters only) Select the Pre Shared Key
profile you created.
|
System Monitoring
| |
State Upon Capacity Loss
|
(PA-Series Clusters only) Select one of the
following:
|
Minimum Network Cards
|
(PA-Series Clusters only) Minimum number of network
cards required to be functional; range is 1 to 7, default is 1.
If the cluster drops below this minimum, the cluster state
transitions to the State Upon Capacity Loss that you configured
(degraded or failed).
|
Minimum Data Processing Cards
|
(PA-Series Clusters only) Minimum number of data
processing cards required to be functional; range is 1 to 7,
default is 1. If the cluster drops below this minimum, the
cluster state transitions to the State Upon Capacity Loss that
you configured (degraded or failed).
|
Summary View
View CN-Series and PA-Series firewall cluster summary.
View the information about the CN-Series or PA-Series clusters captured by the firewall in the
last five minutes. Click the refresh button to load the latest details.
The cluster plugin visibility data is not in real time; it's
delayed by a maximum of five minutes.
Field | Description |
---|---|
Cluster Name | Name of the firewall cluster. |
Software Version | PAN-OS version. |
Plugins Used on the Cluster | List of plugins used on the cluster. |
Template Stack | Name of the template stack associated with
the cluster. |
Device Group | Name of the device group associated with
the cluster. |
Cluster State |
(CN-Series cluster only) Displays whether the cluster is
impacted or not.
(PA-Series cluster only) Displays the health of the
cluster, which is derived from Node Status of all nodes in the
cluster. Cluster state will be:
|
Cluster Type | Type of cluster (CN or PA). |
Members Affected | Number of impacted cluster members and their names. |
System Log Details | Details of the system events. |
Specific Error | List of specific errors in the cluster.
Click the link to view more details about the error under MonitorLogsSystem where
you can view logs. |
Pod Name
| (CN-Series cluster only) Name of the pod. |
CPU Count
|
Number of CPUs used.
|
Config Sync Status
|
(PA-Series Clusters only) Config synchronization status
between Panorama and the firewalls in the PA cluster. Status can
be In Sync or Out of Sync. After you successfully add firewalls
to the cluster, commit, and push, the Config Sync Status
displays as In Sync.
|
Last Commit State
|
(PA-Series Clusters only) State of the last attempted
commit:
|
Node Sync Status
|
(PA-Series Clusters only) Synchronization status of the
Node Flow Table:
|
Node Status
|
(PA-Series Clusters only) Possible status (states) of a
cluster node:
|
Monitoring
View CN-Series and PA-Series firewall cluster monitoring information.
View the CN-Series or PA-Series firewall cluster health information.
The cluster plugin visibility data is not in real
time.
Field | Description |
---|---|
Managed Software Cluster
|
Select a firewall cluster.
|
Impacted | List of impacted firewall clusters.
Click to view detailed information about the clusters in the
Interconnect Status and
Cluster Utilization dashboards. |
OK | List of firewall clusters that are not impacted.
Click to view detailed information about the clusters in the
Interconnect Status and
Cluster Utilization dashboards. |
Interconnect Status | View the cluster interconnect details for a selected time frame. Select Last 5 Mins to view the following details.
Selecting any time frame other than Last 5 Mins displays the following
information only.
|
Cluster Utilization | View the firewall cluster throughput, memory, and data utilization.
|