Set Up HA on Panorama

Set up connectivity between the MGT ports on the HA peers.
The Panorama peers communicate with each other using the MGT port. Make sure that the IP addresses you assign to the MGT port on the Panorama servers in the HA pair are routable and that the peers can communicate with each other across your network. To set up the MGT port, see Perform Initial Configuration of the Panorama Virtual Appliance or Perform Initial Configuration of the M-Series Appliance.
Pick a Panorama peer in the pair and complete the remaining tasks.
Enable HA and (optionally) enable encryption for the HA connection.
Select
Panorama
High Availability
and edit the
Setup
section.
Select
Enable HA
.
In the
Peer HA IP Address
field, enter the IP address assigned to the peer Panorama.
In the
Peer HA Serial
field, enter the serial number of the peer Panorama.
Enter the Panorama HA peer serial number to reduce your attack surface against brute force attacks on the Panorama IP.
In the
Monitor Hold Time
field, enter the length of time (milliseconds) that the system will wait before acting on a control link failure (range is 1000-60000, default is 3000).
If you do not want encryption, clear the
Encryption Enabled
check box and click
OK
: no more steps are required. If you do want encryption, select the
Encryption Enabled
check box, click
OK
, and perform the following tasks:
Select
Panorama
Certificate Management
Certificates
.
Select
Export HA key
. Save the HA key to a network location that the peer Panorama can access.
On the peer Panorama, navigate to
Panorama
Certificate Management
Certificates
, select
Import HA key
, browse to the location where you saved the key, and import it.
Set the HA priority.
In
Panorama
High Availability
, edit the
Election Settings
section.
Define the
Device Priority
as
Primary
or
Secondary
. Make sure to set one peer as primary and the other as secondary.
If both peers have the same priority setting, the peer with the higher serial number will be placed in a suspended state.
Define the
Preemptive
behavior. By default preemption is enabled. The preemption selection—enabled or disabled—must be the same on both peers.
If you are using an NFS for logging and you have disabled preemption, to resume logging to the NFS see Switch Priority after Panorama Failover to Resume NFS Logging.
To configure path monitoring, define one or more path groups.
The path group lists the destination IP addresses (nodes) that Panorama must ping to verify network connectivity.
Perform the following steps for each path group that includes the nodes that you want to monitor.
Select
Panorama
High Availability
and, in the Path Group section, click
Add
.
Enter a
Name
for the path group.
Select a
Failure Condition
for this group:
any
triggers a path monitoring failure if any one of the IP addresses becomes unreachable.
all
triggers a path monitoring failure only when none of the IP addresses are reachable.
Add
each destination IP address you want to monitor.
Click
OK
. The Path Group section displays the new group.
(
Optional
) Select the failure condition for path monitoring on Panorama.
Select
Panorama
High Availability
and edit the Path Monitoring section.
Select a
Failure Condition
:
all
triggers a failover only when all monitored path groups fail.
any
triggers a failover when any monitored path group fails.
Click
OK
.
Commit your configuration changes.
Select
Commit
Commit to Panorama
and
Commit
your changes.
Configure the other Panorama peer.
Repeat Step 2 through Step 6 on the other peer in the HA pair.
Synchronize the Panorama peers.
Access the
Dashboard
on the active Panorama and select
Widgets
System
High Availability
to display the HA widget.
Sync to peer
, click
Yes
, and wait for the
Running Config
to display
Synchronized
.
Access the
Dashboard
on the passive Panorama and select
Widgets
System
High Availability
to display the HA widget.
Verify that the
Running Config
displays
Synchronized
.
(
Optional
) Set Up Authentication Using Custom Certificates Between HA Peers.
You must configure the Secure Communication Settings for both Panorama HA peers. Configuring Secure Communication Settings for Panorama in HA configuration does not impact HA connectivity between the HA peers. However, functionality that goes over the Secure Communication link may fail if the Secure Communication Settings are configured incorrectly, or if the HA peer or managed firewalls do not have the correct certificate, or have an expired certificate.
All traffic on the link established by configuring the Secure Communication Settings is always encrypted.
If you configure Secure Communication Settings for Panorama in a HA configuration, it is required to
Customize Secure Server Communication
as well. Otherwise, managed firewalls and WildFire appliances are unable to connect to Panorama and PAN-OS functionality is impacted.