End-of-Life (EoL)
To configure Panorama in HA, you require a pair of identical Panorama servers with the following requirements on each:
The same form factor —Must both be hardware-based appliances (M-Series appliances) or virtual appliances. The M-Series appliances must be the same model: both M-100 appliances or both M-500 appliances. For HA, the M-Series appliances must be in Panorama mode; M-Series appliances in Log Collector mode do not support HA. The same Panorama OS version —Must run the same Panorama version to synchronize configuration information and maintain parity for a seamless failover. The same set of licenses —Must have the same firewall management capacity license. (Panorama virtual appliance only) Unique serial number —Must have unique serial numbers; if the serial number is the same for both Panorama instances, they will be in suspended mode until you resolve the issue.
The Panorama servers in the HA configuration are peers and you can use either (active or passive) to centrally manage the firewalls and Log Collectors with a few exceptions (see Synchronization Between Panorama HA Peers). The HA peers use the management port to synchronize the configuration elements pushed to the managed firewalls and Log Collectors and to maintain state information. Typically, Panorama HA peers are geographically located in different sites, so you need to make sure that the management port IP address assigned to each peer is routable through your network. HA connectivity uses TCP port 28 with encryption enabled. If encryption is not enabled, ports 28769 and 28260 are used for HA connectivity and to synchronize configuration between the HA peers. We recommend less than 500ms latency between the peers. To determine the latency, use Ping during a period of normal traffic.

Recommended For You