Panorama HA Prerequisites

To configure Panorama in HA, you require a pair of identical Panorama servers with the following requirements on each:
  • The same form factor
    —The peers must be the same model and mode: both M-600 appliances, M-500 appliances, M-200 appliances, M-100 appliances, Panorama virtual appliances on AWS, Azure, GCP, and ESXi in Panorama mode, Management Only mode or Legacy mode (ESXi and vCloud Air only). Panorama appliances in Log Collector mode do not support HA.
    The shipping configuration of the M-100 appliance has increased memory and system disk capacity. Because of this change, if you purchase a new M-100 appliance or issue an RMA, you will receive an appliance with 32 GB memory and a 120 GB or 150 GB SSD. In this case, you can configure HA between an M-100 appliance with the higher capacity and an M-100 that has 16 GB memory and 120 GB or 150 GB SSD. It is recommended that you upgrade the memory to match, but to set up HA on the M-100 appliance the memory does not need to match. No changes to the system disk is necessary, if the capacities differ.
    M-100 appliances are supported in PAN-OS 9.0 and later releases only if they have been upgraded to 32GB memory from the default 16GB. See M-100 Memory Upgrade Guide for more information.
  • The same Panorama OS version
    —Must run the same Panorama version to synchronize configuration information and maintain parity for a seamless failover.
  • The same set of licenses
    —Must have the same firewall management capacity license.
  • (
    Panorama virtual appliance only
    )
    Unique serial number
    —Must have unique serial numbers; if the serial number is the same for both Panorama instances, they will be in suspended mode until you resolve the issue.
    Panorama HA Organization
    Panorama_HA.png
The Panorama servers in the HA configuration are peers and you can use either (active or passive) to centrally manage the firewalls, Log Collectors, and WildFire appliances and appliance clusters, with a few exceptions (see Synchronization Between Panorama HA Peers). The HA peers use the management (MGT) interface to synchronize the configuration elements pushed to the managed firewalls, Log Collectors, and WildFire appliances and appliance clusters to maintain state information. Typically, Panorama HA peers are geographically located in different sites, so you need to make sure that the MGT interface IP address assigned to each peer is routable through your network. HA connectivity uses TCP port 28 with encryption enabled. If encryption is not enabled, ports 28769 and 28260 are used for HA connectivity and to synchronize configuration between the HA peers. We recommend less than 500ms latency between the peers. To determine the latency, use Ping during a period of normal traffic.

Recommended For You