Set Up HA on Panorama
Table of Contents
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
- Install the Device Certificate for a Dedicated Log Collector
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
- Configure Tracking of Administrator Activity
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Device Group Push to a Multi-VSYS Firewall
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Schedule a Configuration Push to Managed Firewalls
- Redistribute Data to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Configure a Managed Collector
- Configure Log Forwarding to Panorama
- Configure Syslog Forwarding to External Destinations
- Forward Logs to Strata Logging Service
- Verify Log Forwarding to Panorama
- Modify Log Forwarding and Buffering Defaults
- Configure Log Forwarding from Panorama to External Destinations
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
-
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- View Task Success or Failure Status
- Generate a Stats Dump File for a Managed Firewall
- Recover Managed Device Connectivity to Panorama
- Restore an Expired Device Certificate
Set Up HA on Panorama
Review the Panorama HA Prerequisites before
performing the following steps.
If you configure Secure
Communication Settings between Panorama HA peers,
the Panorama HA peers use the custom certificate specified for authentication one
another. Otherwise, the Panorama HA peers use the predefined certificate
for authentication.
Regardless of how you configure the Panorama
HA peers to authenticate communication, neither will impact the
ability for the Panorama HA peers to communicate with one another.
- Set up connectivity between the MGT ports on the HA peers.The Panorama peers communicate with each other using the MGT port. Make sure that the IP addresses you assign to the MGT port on the Panorama servers in the HA pair are routable and that the peers can communicate with each other across your network. To set up the MGT port, see Perform Initial Configuration of the Panorama Virtual Appliance or Perform Initial Configuration of the M-Series Appliance.Pick a Panorama peer in the pair and complete the remaining tasks.Enable HA and (optionally) enable encryption for the HA connection.
- Select PanoramaHigh Availability and edit the Setup section.Select Enable HA.In the Peer HA IP Address field, enter the IP address assigned to the peer Panorama.In the Peer HA Serial field, enter the serial number of the peer Panorama.Entering the Panorama HA peer serial number reduces your attack surface against brute force attacks on the Panorama IP.In the Monitor Hold Time field, enter the length of time (milliseconds) that the system will wait before acting on a control link failure (range is 1000-60000, default is 3000).If you do not want encryption, clear the Encryption Enabled check box and click OK: no more steps are required. If you do want encryption, select the Encryption Enabled check box, click OK, and perform the following tasks:
- Select PanoramaCertificate ManagementCertificates.
- Select Export HA key. Save the HA key to a network location that the peer Panorama can access.
- On the peer Panorama, navigate to PanoramaCertificate ManagementCertificates, select Import HA key, browse to the location where you saved the key, and import it.
Set the HA priority.- In PanoramaHigh Availability, edit the Election Settings section.Define the Device Priority as Primary or Secondary. Make sure to set one peer as primary and the other as secondary.If both peers have the same priority setting, the peer with the higher serial number will be placed in a suspended state.Define the Preemptive behavior. By default preemption is enabled. The preemption selection—enabled or disabled—must be the same on both peers.If you are using an NFS for logging and you have disabled preemption, to resume logging to the NFS see Switch Priority after Panorama Failover to Resume NFS Logging.To configure path monitoring, define one or more path groups.The path group lists the destination IP addresses (nodes) that Panorama must ping to verify network connectivity.Perform the following steps for each path group that includes the nodes that you want to monitor.
- Select PanoramaHigh Availability and, in the Path Group section, click Add.Enter a Name for the path group.Select a Failure Condition for this group:
- any triggers a path monitoring failure if any one of the IP addresses becomes unreachable.
- all triggers a path monitoring failure only when none of the IP addresses are reachable.
Add each destination IP address you want to monitor.Click OK. The Path Group section displays the new group.(Optional) Select the failure condition for path monitoring on Panorama.- Select PanoramaHigh Availability and edit the Path Monitoring section.Select a Failure Condition:
- all triggers a failover only when all monitored path groups fail.
- any triggers a failover when any monitored path group fails.
Click OK.Commit your configuration changes.Select CommitCommit to Panorama and Commit your changes.Configure the other Panorama peer.Synchronize the Panorama peers.- Access the Dashboard on the active Panorama and select WidgetsSystemHigh Availability to display the HA widget.Sync to peer, click Yes, and wait for the Running Config to display Synchronized.Access the Dashboard on the passive Panorama and select WidgetsSystemHigh Availability to display the HA widget.Verify that the Running Config displays Synchronized.(Optional) Set Up Authentication Using Custom Certificates Between HA Peers.You must configure the Secure Communication Settings for both Panorama HA peers. Configuring Secure Communication Settings for Panorama in HA configuration does not impact HA connectivity between the HA peers. However, functionality that goes over the Secure Communication link may fail if the Secure Communication Settings are configured incorrectly, or if the HA peer or managed firewalls do not have the correct certificate, or have an expired certificate.All traffic on the link established by configuring the Secure Communication Settings is always encrypted.If you configure Secure Communication Settings for Panorama in a HA configuration, it is required to Customize Secure Server Communication as well. Otherwise, managed firewalls and WildFire appliances are unable to connect to Panorama and PAN-OS functionality is impacted.