To configure Panorama in HA, you require a pair of identical
Panorama servers with the following requirements on each:
The same form factor
—The peers must be the same
model and mode: both M-600 appliances, M-500 appliances, M-200 appliances,
Panorama virtual appliances on AWS, Azure, GCP, and ESXi in Panorama mode,
Management Only mode or Legacy mode (ESXi and vCloud Air only).
Panorama appliances in Log Collector mode do not support HA.
The same Panorama OS version
—Must run the same Panorama
version to synchronize configuration information and maintain parity
for a seamless failover.
The same set of licenses
—Must have the same firewall
management capacity license.
Panorama virtual appliance only
—Must have unique serial numbers; if the serial number
is the same for both Panorama instances, they will be in suspended
mode until you resolve the issue.
The Panorama servers in the HA configuration are peers and you
can use either (active or passive) to centrally manage the firewalls,
Log Collectors, and WildFire appliances and appliance clusters,
with a few exceptions (see Synchronization
Between Panorama HA Peers). The HA peers use the management
(MGT) interface to synchronize the configuration elements pushed
to the managed firewalls, Log Collectors, and WildFire appliances
and appliance clusters to maintain state information. Typically,
Panorama HA peers are geographically located in different sites,
so you need to make sure that the MGT interface IP address assigned
to each peer is routable through your network. HA connectivity uses
TCP port 28 with encryption enabled. If encryption is not enabled,
ports 28769 and 28260 are used for HA connectivity and to synchronize
configuration between the HA peers. We recommend less than 500ms
latency between the peers. To determine the latency, use Ping during
a period of normal traffic.