: Set Up HA on Panorama
Focus
Focus

Set Up HA on Panorama

Table of Contents

Set Up HA on Panorama

Review the Panorama HA Prerequisites before performing the following steps.
If you configure Secure Communication Settings between Panorama HA peers, the Panorama HA peers use the custom certificate specified for authentication one another. Otherwise, the Panorama HA peers use the predefined certificate for authentication.
Regardless of how you configure the Panorama HA peers to authenticate communication, neither will impact the ability for the Panorama HA peers to communicate with one another.
  1. Set up connectivity between the MGT ports on the HA peers.
    The Panorama peers communicate with each other using the MGT port. Make sure that the IP addresses you assign to the MGT port on the Panorama servers in the HA pair are routable and that the peers can communicate with each other across your network. To set up the MGT port, see Perform Initial Configuration of the Panorama Virtual Appliance or Perform Initial Configuration of the M-Series Appliance.
    Pick a Panorama peer in the pair and complete the remaining tasks.
  2. Enable HA and (optionally) enable encryption for the HA connection.
    1. Select
      Panorama
      High Availability
      and edit the
      Setup
      section.
    2. Select
      Enable HA
      .
    3. In the
      Peer HA IP Address
      field, enter the IP address assigned to the peer Panorama.
    4. In the
      Monitor Hold Time
      field, enter the length of time (milliseconds) that the system will wait before acting on a control link failure (range is 1000-60000, default is 3000).
    5. If you do not want encryption, clear the
      Encryption Enabled
      check box and click
      OK
      : no more steps are required. If you do want encryption, select the
      Encryption Enabled
      check box, click
      OK
      , and perform the following tasks:
      1. Select
        Panorama
        Certificate Management
        Certificates
        .
      2. Select
        Export HA key
        . Save the HA key to a network location that the peer Panorama can access.
      3. On the peer Panorama, navigate to
        Panorama
        Certificate Management
        Certificates
        , select
        Import HA key
        , browse to the location where you saved the key, and import it.
  3. Set the HA priority.
    1. In
      Panorama
      High Availability
      , edit the
      Election Settings
      section.
    2. Define the
      Device Priority
      as
      Primary
      or
      Secondary
      . Make sure to set one peer as primary and the other as secondary.
      If both peers have the same priority setting, the peer with the higher serial number will be placed in a suspended state.
    3. Define the
      Preemptive
      behavior. By default preemption is enabled. The preemption selection—enabled or disabled—must be the same on both peers.
      If you are using an NFS for logging and you have disabled preemption, to resume logging to the NFS see Switch Priority after Panorama Failover to Resume NFS Logging.
  4. To configure path monitoring, define one or more path groups.
    The path group lists the destination IP addresses (nodes) that Panorama must ping to verify network connectivity.
    Perform the following steps for each path group that includes the nodes that you want to monitor.
    1. Select
      Panorama
      High Availability
      and, in the Path Group section, click
      Add
      .
    2. Enter a
      Name
      for the path group.
    3. Select a
      Failure Condition
      for this group:
      • any
        triggers a path monitoring failure if any one of the IP addresses becomes unreachable.
      • all
        triggers a path monitoring failure only when none of the IP addresses are reachable.
    4. Add
      each destination IP address you want to monitor.
    5. Click
      OK
      . The Path Group section displays the new group.
  5. (
    Optional
    ) Select the failure condition for path monitoring on Panorama.
    1. Select
      Panorama
      High Availability
      and edit the Path Monitoring section.
    2. Select a
      Failure Condition
      :
      • all
        triggers a failover only when all monitored path groups fail.
      • any
        triggers a failover when any monitored path group fails.
    3. Click
      OK
      .
  6. Commit your configuration changes.
    Select
    Commit
    Commit to Panorama
    and
    Commit
    your changes.
  7. Configure the other Panorama peer.
    Repeat Step 2 through Step 6 on the other peer in the HA pair.
  8. Synchronize the Panorama peers.
    1. Access the
      Dashboard
      on the active Panorama and select
      Widgets
      System
      High Availability
      to display the HA widget.
    2. Sync to peer
      , click
      Yes
      , and wait for the
      Running Config
      to display
      Synchronized
      .
    3. Access the
      Dashboard
      on the passive Panorama and select
      Widgets
      System
      High Availability
      to display the HA widget.
    4. Verify that the
      Running Config
      displays
      Synchronized
      .
  9. You must configure the Secure Communication Settings for both Panorama HA peers. Configuring Secure Communication Settings for Panorama in HA configuration does not impact HA connectivity between the HA peers. However, functionality that goes over the Secure Communication link may fail if the Secure Communication Settings are configured incorrectly, or if the HA peer or managed firewalls do not have the correct certificate, or have an expired certificate.
    All traffic on the link established by configuring the Secure Communication Settings is always encrypted.
    If you configure Secure Communication Settings for Panorama in a HA configuration, it is required to
    Customize Secure Server Communication
    as well. Otherwise, managed firewalls and WildFire appliances are unable to connect to Panorama and PAN-OS functionality is impacted.

Recommended For You