An overview and the task you perform to configure a Panorama
Managed
Prisma Access
deployment in High Availability (HA).
Where Can I Use
This?
What Do I Need?
Prisma Access (Managed by Panorama)
Prisma Access
license
Deploying Panorama appliances in a high availability
(HA) configuration provides redundancy in case of a system or network
failure and ensures that you have continuous connectivity to Prisma
Access. In an HA configuration, one Panorama appliance peer is the
active-primary and the other is the passive-secondary. In the event
of a failover, the secondary peer becomes active and takes over
the role of managing
Prisma Access
.
To simplify the HA set
up, configure the Panorama appliances in HA after you purchase Prisma
Access and Cortex Data Lake auth codes and components and associate
the serial number of the primary Panorama appliance on which you
plan to install the Cloud Services plugin with the auth codes, but
before you activate and install Panorama
Managed Prisma Access. However, you can also use this process
to configure existing Panorama appliances that already have the
plugin installed.
Whether you are just getting started with
a new pair of Panorama appliances, or you have already set up your
standalone Panorama appliance and completed the licensing and installation
procedures, make sure to check the prerequisites before you enable
HA:
You must register the
Panorama appliance HA peers to the same customer account on the Customer Support Portal (CSP).
The Panorama appliance peers must be of the same form factor
(hardware appliances of the same model or identical virtual appliances)
and same OS version and must have the same set of licenses. The
premium support license is required for
Prisma Access
and Cortex
Data Lake.
The serial number of the primary Panorama appliance is tied
to your
Prisma Access
and Cortex Data Lake auth codes. If you have
installed and set up the plugin on a standalone Panorama appliance,
ensure that you use that Panorama appliance as the primary peer.
If you need to assign this standalone peer as the secondary Panorama
appliance, contact Palo Alto Networks support for assistance with
transferring the license to the primary Panorama appliance peer
before you continue.
If you disable HA for
a Panorama pair and revert to a configuration where a single Panorama
manages
to verify that both Panorama
peers are tied to your
Prisma Access
and Cortex Data Lake licenses.
Check the fields for the primary and secondary Panorama
appliance.
The Auth Code, Model Name, License Description, and Expiration
Date fields should be the same for the primary and secondary Panorama
appliance, because Palo Alto Networks has associated the Prisma
Access license automatically to the secondary Panorama appliance.
When you log in to the Customer Support Portal (CSP) to
generate the OTP, make sure that you specify the serial number for
the secondary Panorama appliance.
Commit your changes on the primary and secondary Panorama
appliance.
Commit
Commit and Push
your changes.
Click
OK
and
Push
.
Verify that the primary and secondary Panorama appliances
are still in a synchronized state.