Set Up HA on Panorama
Review the Panorama HA Prerequisites before
performing the following steps.
If you configure Secure
Communication Settings between Panorama HA peers,
the Panorama HA peers use the custom certificate specified for authentication one
another. Otherwise, the Panorama HA peers use the predefined certificate
for authentication.
Regardless of how you configure the Panorama
HA peers to authenticate communication, neither will impact the
ability for the Panorama HA peers to communicate with one another.
- Set up connectivity between the MGT ports on the HA peers.The Panorama peers communicate with each other using the MGT port. Make sure that the IP addresses you assign to the MGT port on the Panorama servers in the HA pair are routable and that the peers can communicate with each other across your network. To set up the MGT port, see Perform Initial Configuration of the Panorama Virtual Appliance or Perform Initial Configuration of the M-Series Appliance.Pick a Panorama peer in the pair and complete the remaining tasks.
- Enable HA and (optionally) enable encryption for the HA connection.
- Selectand edit thePanoramaHigh AvailabilitySetupsection.
- SelectEnable HA.
- In thePeer HA IP Addressfield, enter the IP address assigned to the peer Panorama.
- In thePeer HA Serialfield, enter the serial number of the peer Panorama.Enter the Panorama HA peer serial number to reduce your attack surface against brute force attacks on the Panorama IP.
- In theMonitor Hold Timefield, enter the length of time (milliseconds) that the system will wait before acting on a control link failure (range is 1000-60000, default is 3000).
- If you do not want encryption, clear theEncryption Enabledcheck box and clickOK: no more steps are required. If you do want encryption, select theEncryption Enabledcheck box, clickOK, and perform the following tasks:
- Select.PanoramaCertificate ManagementCertificates
- SelectExport HA key. Save the HA key to a network location that the peer Panorama can access.
- On the peer Panorama, navigate to, selectPanoramaCertificate ManagementCertificatesImport HA key, browse to the location where you saved the key, and import it.
- Set the HA priority.
- In, edit thePanoramaHigh AvailabilityElection Settingssection.
- Define theDevice PriorityasPrimaryorSecondary. Make sure to set one peer as primary and the other as secondary.If both peers have the same priority setting, the peer with the higher serial number will be placed in a suspended state.
- Define thePreemptivebehavior. By default preemption is enabled. The preemption selection—enabled or disabled—must be the same on both peers.If you are using an NFS for logging and you have disabled preemption, to resume logging to the NFS see Switch Priority after Panorama Failover to Resume NFS Logging.
- To configure path monitoring, define one or more path groups.The path group lists the destination IP addresses (nodes) that Panorama must ping to verify network connectivity.Perform the following steps for each path group that includes the nodes that you want to monitor.
- Selectand, in the Path Group section, clickPanoramaHigh AvailabilityAdd.
- Enter aNamefor the path group.
- Select aFailure Conditionfor this group:
- anytriggers a path monitoring failure if any one of the IP addresses becomes unreachable.
- alltriggers a path monitoring failure only when none of the IP addresses are reachable.
- Addeach destination IP address you want to monitor.
- ClickOK. The Path Group section displays the new group.
- (Optional) Select the failure condition for path monitoring on Panorama.
- Selectand edit the Path Monitoring section.PanoramaHigh Availability
- Select aFailure Condition:
- alltriggers a failover only when all monitored path groups fail.
- anytriggers a failover when any monitored path group fails.
- ClickOK.
- Commit your configuration changes.SelectandCommitCommit to PanoramaCommityour changes.
- Synchronize the Panorama peers.
- Access theDashboardon the active Panorama and selectto display the HA widget.WidgetsSystemHigh Availability
- Sync to peer, clickYes, and wait for theRunning Configto displaySynchronized.
- Access theDashboardon the passive Panorama and selectto display the HA widget.WidgetsSystemHigh Availability
- Verify that theRunning ConfigdisplaysSynchronized.
- You must configure the Secure Communication Settings for both Panorama HA peers. Configuring Secure Communication Settings for Panorama in HA configuration does not impact HA connectivity between the HA peers. However, functionality that goes over the Secure Communication link may fail if the Secure Communication Settings are configured incorrectly, or if the HA peer or managed firewalls do not have the correct certificate, or have an expired certificate.All traffic on the link established by configuring the Secure Communication Settings is always encrypted.If you configure Secure Communication Settings for Panorama in a HA configuration, it is required toCustomize Secure Server Communicationas well. Otherwise, managed firewalls and WildFire appliances are unable to connect to Panorama and PAN-OS functionality is impacted.
Recommended For You
Recommended Videos
Recommended videos not found.