End-of-Life (EoL)
Review the Panorama HA Prerequisites before performing the following steps:
Set Up HA on Panorama
Set up connectivity between the MGT ports on the HA peers. The Panorama peers communicate with each other using the MGT port. Make sure that the IP addresses you assign to the MGT port on the Panorama servers in the HA pair are routable and that the peers can communicate with each other across your network. To set up the MGT port, see Perform Initial Configuration of the Panorama Virtual Appliance or Perform Initial Configuration of the M-Series Appliance. Pick a Panorama peer in the pair and complete the remaining tasks.
Enable HA and (optionally) enable encryption for the HA connection. Select Panorama > High Availability and edit the Setup section. Select Enable HA. In the Peer HA IP Address field, enter the IP address assigned to the peer Panorama. In the Monitor Hold Time field, enter the length of time (milliseconds) that the system will wait before acting on a control link failure (range is 1000-60000, default is 3000). If you do not want encryption, clear the Encryption Enabled check box and click OK: no more steps are required. If you do want encryption, select the Encryption Enabled check box, click OK, and perform the following tasks: Select Panorama > Certificate Management > Certificates. Select Export HA key. Save the HA key to a network location that the peer Panorama can access. On the peer Panorama, navigate to Panorama > Certificate Management > Certificates, select Import HA key, browse to the location where you saved the key, and import it.
Set the HA priority. In Panorama > High Availability, edit the Election Settings section. Define the Device Priority as Primary or Secondary. Make sure to set one peer as primary and the other as secondary. If both peers have the same priority setting, the peer with the higher serial number will be placed in a suspended state. Define the Preemptive behavior. By default preemption is enabled. The preemption selection—enabled or disabled—must be the same on both peers. If you are using an NFS for logging and you have disabled preemption, to resume logging to the NFS see Switch Priority after Panorama Failover to Resume NFS Logging.
To configure path monitoring, define one or more path groups. The path group lists the destination IP addresses (nodes) that Panorama must ping to verify network connectivity. Perform the following steps for each path group that includes the nodes that you want to monitor. Select Panorama > High Availability and, in the Path Group section, click Add. Enter a Name for the path group. Select a Failure Condition for this group: any triggers a path monitoring failure if any one of the IP addresses becomes unreachable. all triggers a path monitoring failure only when none of the IP addresses are reachable. Add each destination IP address you want to monitor. Click OK. The Path Group section displays the new group .
( Optional ) Select the failure condition for path monitoring on Panorama. Select Panorama > High Availability and edit the Path Monitoring section. Select a Failure Condition: all triggers a failover only when all monitored path groups fail. any triggers a failover when any monitored path group fails. Click OK.
Save your configuration changes. Click Commit, for the Commit Type select Panorama, and click Commit again.
Configure the other Panorama peer. Repeat Step 2 through Step 6 on the other peer in the HA pair.
Verify that the Panorama servers are paired in HA. After you configure both Panorama servers for HA: Access the Dashboard on each Panorama, and view the High Availability widget. Verify the Panorama servers are paired and synchronized: Active Panorama—The state of the Local peer must be active and the Running Config must be synchronized. Passive Panorama—The state of the Local peer must be passive and the Running Config must be synchronized.

Recommended For You