To enable high availability (HA) on Panorama , configure the followings settings.
Panorama HA Setting Description
Setup Click Edit ( ) to configure the following settings.
Enable HA Select this option to enable HA.
Peer HA IP Address Enter the IP address of the MGT interface on the peer.
Enable Encryption When enabled, the MGT interface encrypts communication between the HA peers. Before enabling encryption, export the HA key from each HA peer and import the key into the other peer. You perform key imports and exports on the Panorama > Certificate Management > Certificates page (see Manage Firewall and Panorama Certificates). HA connectivity uses TCP port 28 with encryption enabled and 28769 when encryption is not enabled.
Monitor Hold Time (ms) Enter the number of milliseconds that the system will wait before acting on a control link failure (range is 1,000–60,000; default is 3,000).
Election Settings Click Edit ( ) to configure the following settings.
Priority ( Required on the Panorama virtual appliance ) Assign one peer as Primary and the other as Secondary in the HA pair. This setting determines which peer is the primary recipient for firewall logs. When you Log Storage Partitions for a Panorama Virtual Appliance, you can use its internal disk (default) or a Network File System (NFS) for log storage. If you configure an NFS, only the primary recipient receives the firewall logs. If you configure internal disk storage, the firewalls send logs to both the primary and the secondary recipient by default, though you can change this by configuring the Logging and Reporting Settings.
Preemptive Select this option to enable the primary Panorama to resume active operation after recovering from a failure. If this setting is off, the secondary Panorama remains active even after the primary Panorama recovers from a failure.
HA Timer Settings Your selection determines the values for the remaining HA election settings, which control the failover speed: Recommended —Select this option for typical (default) failover timer settings. To see the associated values, select Advanced and Load Recommended. Aggressive —Select this option for faster failover timer settings. To see the associated values, select Advanced and Load Aggressive. Advanced —Selecting this option displays the remaining HA election settings so you can customize their values. See the fields below for the Recommended and Aggressive values.
Promotion Hold Time (ms) Enter the number of milliseconds (range is 0–60,000) the secondary Panorama peer will wait before taking over after the primary peer goes down. The recommended (default) value is 2,000; the aggressive value is 500.
Hello Interval (ms) Enter the number of milliseconds (range is 8,000–60,000) between the hello packets sent to verify that the other peer is operational. The recommended (default) and aggressive value is 8,000.
Heartbeat Interval (ms) Specify the frequency in milliseconds (range is 1,000–60,000) at which Panorama sends ICMP pings to the HA peer. The recommended (default) value is 2,000; the aggressive value is 1,000.
Preemption Hold Time (min) This field applies only if you also select Preemptive. Enter the number of minutes (range is 1–60) the passive Panorama peer will wait before falling back to active status after it recovers from an event that caused failover. The recommended (default) and aggressive value is 1.
Monitor Fail Hold Up Time (ms) Specify the number of milliseconds (range is 0–60,000) Panorama waits after a path monitor failure before attempting to re-enter the passive state. During this period, the passive peer is not available to take over for the active peer in the event of failure. This interval enables Panorama to avoid a failover due to the occasional flapping of neighboring devices. The recommended (default) and aggressive value is 0.
Additional Master Hold Up Time (ms) Specify the number of milliseconds (range is 0–60,000) during which the preempting peer remains in the passive state before taking over as the active peer. The recommended (default) value is 7,000; the aggressive value is 5,000.
Path Monitoring Click Edit ( ) to configure HA path monitoring .
Enabled Select this option to enable path monitoring. Path monitoring enables Panorama to monitor specified destination IP addresses by sending ICMP ping messages to verify that they are responsive.
Failure Condition Select whether a failover occurs when Any or All of the monitored path groups fail to respond.
Path Group To create a path group for HA path monitoring, click Add and complete the following fields.
Name Specify a name for the path group.
Enabled Select this option to enable the path group.
Failure Condition Select whether a failure occurs when Any or All of the specified destination addresses fails to respond.
Ping Interval Specify the number of milliseconds between the ICMP echo messages that verify that the path to the destination IP address is up (range is 1,000–60,000; default is 5,000).
Ping Count Specify the number of failed pings before declaring a failure (range is 3–10; default is 3).
Destination IPs Enter one or more destination IP addresses to monitor. Use commas to separate multiple addresses.

Related Documentation