End-of-Life (EoL)

Panorama HA Prerequisites

To configure Panorama in HA, you require a pair of identical Panorama servers with the following requirements on each:
  • The same form factor
    —The peers must be the same model and mode: both M-500 appliances in Panorama mode, M-100 appliances in Panorama mode, virtual appliances in Panorama mode, or virtual appliances in Legacy mode. (M-Series appliances in Log Collector mode do not support HA.)
  • The same Panorama OS version
    —Must run the same Panorama version to synchronize configuration information and maintain parity for a seamless failover.
  • The same set of licenses
    —Must have the same firewall management capacity license.
  • (
    Panorama virtual appliance only
    Unique serial number
    —Must have unique serial numbers; if the serial number is the same for both Panorama instances, they will be in suspended mode until you resolve the issue.
    Panorama HA Organization
The Panorama servers in the HA configuration are peers and you can use either (active or passive) to centrally manage the firewalls, Log Collectors, and WildFire appliances and appliance clusters, with a few exceptions (see Synchronization Between Panorama HA Peers). The HA peers use the management (MGT) interface to synchronize the configuration elements pushed to the managed firewalls, Log Collectors, and WildFire appliances and appliance clusters to maintain state information. Typically, Panorama HA peers are geographically located in different sites, so you need to make sure that the MGT interface IP address assigned to each peer is routable through your network. HA connectivity uses TCP port 28 with encryption enabled. If encryption is not enabled, ports 28769 and 28260 are used for HA connectivity and to synchronize configuration between the HA peers. We recommend less than 500ms latency between the peers. To determine the latency, use Ping during a period of normal traffic.

Recommended For You