To set up active/active HA on your firewalls, you need
a pair of firewalls that meet the following requirements:
The same model
in the pair must be of the same hardware model.
The same PAN-OS version
—The firewalls must be running
the same PAN-OS version and must each be up-to-date on the application,
URL, and threat databases.
The same multi virtual system capability
Multi Virtual System Capability
enabled or not enabled. When enabled, each firewall requires its
own multiple virtual systems licenses.
The same type of interfaces
—Dedicated HA links, or
a combination of the management port and in-band ports that are
The HA interfaces
must be configured with static IP addresses only, not IP addresses
obtained from DHCP (except AWS can use DHCP addresses). Determine
the IP address for the HA1 (control) connection between the HA peers.
The HA1 IP address for the peers must be on the same subnet if they are
directly connected or are connected to the same switch.
firewalls without dedicated HA ports, you can use the management
port for the control connection. Using the management port provides
a direct communication link between the management planes on both
firewalls. However, because the management ports will not be directly
cabled between the peers, make sure that you have a route that connects
these two interfaces across your network.
If you use Layer 3 as the transport method for the HA2 (data)
connection, determine the IP address for the HA2 link. Use Layer
3 only if the HA2 connection must communicate over a routed network.
The IP subnet for the HA2 links must not overlap with that of the
HA1 links or with any other subnet assigned to the data ports on
Each firewall needs a dedicated interface for the HA3 link.
PA-7000 Series firewalls use the HSCI port. On the remaining platforms,
you can configure aggregate interfaces as the HA3 link for redundancy.
The same set of licenses
—Licenses are unique to each
firewall and cannot be shared between the firewalls. Therefore,
you must license both firewalls identically. If both firewalls do not
have an identical set of licenses, they cannot synchronize configuration information
and maintain parity for a seamless failover.
have an existing firewall and you want to add a new firewall for
HA purposes and the new firewall has an existing configuration,
it is recommended that you Reset the Firewall to Factory
Default Settings on the new firewall. This will ensure that
the new firewall has a clean configuration. After HA is configured,
you will then sync the configuration on the primary firewall to
the newly introduced firewall with the clean config. You will also
have to configure local IP addresses.