To configure Panorama in HA, you require a pair of identical
Panorama servers with the following requirements on each:
The same form factor
—The peers must be the same
model and mode: both M-500 appliances in Panorama mode, M-100 appliances
in Panorama mode, virtual appliances in Panorama mode, or virtual
appliances in Legacy mode. (M-Series appliances in Log Collector
mode do not support HA.)
The same Panorama OS version
—Must run the same Panorama
version to synchronize configuration information and maintain parity
for a seamless failover.
The same set of licenses
—Must have the same firewall
management capacity license.
Panorama virtual appliance only
—Must have unique serial numbers; if the serial number
is the same for both Panorama instances, they will be in suspended mode
until you resolve the issue.
The Panorama servers in the HA configuration are peers and you
can use either (active or passive) to centrally manage the firewalls,
Log Collectors, and WildFire appliances and appliance clusters,
with a few exceptions (see Synchronization Between Panorama HA Peers). The HA peers use the management (MGT) interface to synchronize
the configuration elements pushed to the managed firewalls, Log
Collectors, and WildFire appliances and appliance clusters to maintain
state information. Typically, Panorama HA peers are geographically
located in different sites, so you need to make sure that the MGT
interface IP address assigned to each peer is routable through your
network. HA connectivity uses TCP port 28 with encryption enabled.
If encryption is not enabled, ports 28769 and 28260 are used for
HA connectivity and to synchronize configuration between the HA
peers. We recommend less than 500ms latency between the peers. To
determine the latency, use Ping during a period of normal traffic.