>
    Strata Copilot
    Configure HAProxy for HA Setup
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Understand Installation Workflow
    4. Install the On-Premises Controller
    5. Configure HAProxy for HA Setup
    Download PDF
    Prisma SD-WAN

    Configure HAProxy for HA Setup

    Table of Contents

    Configure HAProxy for HA Setup

    Configure HAProxy load balancer for HA setup.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Prisma SD-WAN
    1. Install HAProxy by executing the command:
      sudo apt install haproxy
    2. Edit the HAProxy config file by updating the Operator console's IP address.
      /etc/haproxy/haproxy.cfg
      Before applying this configuration, substitute all placeholder values with your actual IP addresses and domain name. The IP addresses shown below are for documentation purpose only and are not routable.
      #---------------------------------------------------------------------
# Proxys to the webserver backend port 443
#---------------------------------------------------------------------

# OPTIONAL: Stats endpoint — remove this block if not needed.
# If enabled, restrict access to a trusted interface or add authentication.
frontend stats
    mode http
    bind 127.0.0.1:80
    stats enable
    stats uri /stats
    stats refresh 10s
    stats admin if LOCALHOST
    # Uncomment the following line to require a username and password:
    # stats auth admin:<strong-password>
 
frontend https
        bind :443
        mode tcp
        option tcplog
        # Wait for a client hello for at most 5 seconds
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        use_backend controller_ssl if { req_ssl_sni -m end .customer-domain }
        #default_backend static
 
frontend ops_https
        bind :9443
        mode tcp
        option tcplog
        # Wait for a client hello for at most 5 seconds
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        use_backend opsui_ssl if { req_ssl_sni -i ops-ui.prisma-sd-wan.com }
 
backend controller_ssl
        mode tcp
        balance roundrobin
        timeout connect 5s     # 5 seconds
        timeout check 5s       # 5 seconds
        timeout server 30s     # 30 seconds
        server controller_ssl_server1 app-node-1-IP:443 check
        server controller_ssl_server2 app-node-2-IP:443 check backup
        server controller_ssl_server3 app-node-3-IP:443 check backup
 
backend opsui_ssl
        mode tcp
        balance roundrobin
        timeout connect 5s     # 5 seconds
        timeout check 5s       # 5 seconds
        timeout server 30s     # 30 seconds
        server ops_ssl_server1 ops-node-1-IP:9443 check
        server ops_ssl_server2 ops-node-2-IP:9443 check backup
        server ops_ssl_server3 ops-node-3-IP:9443 check backup
      Replace the following placeholders before applying this configuration:
      • customer-domain — your tenant domain.
      • app-node-1-IP, app-node-2-IP, app-node-3-IP — the IP addresses of your 3 Application nodes.
      • ops-node-1-IP, ops-node-2-IP, ops-node-3-IP — the IP addresses of your 3 Operator nodes.

    Change Default Password

    Change the default Operator console login credentials to secure your deployment.
    1. Log in to the Operator console using the default credentials.
    2. Hover over the user details at the bottom left corner of the screen and select Reset Password.
      Choose a strong password that meets all of the following requirements:
      • Minimum 12 characters in length.
      • At least one uppercase letter (A–Z).
      • At least one lowercase letter (a–z).
      • At least one digit (0–9).
      • At least one special character (for example, ! @ # $ % ^ & *).
      Consider using a password manager to generate and store a strong, unique password. For deployments in government or financial environments, also enable multi-factor authentication (MFA) where supported.
    3. Enter the new password and confirm the password.
    4. Click Reset.

    Change Administrator Console Default Password

    Change the Administrator console default password to secure your deployment.
    1. Log in to the Administrator console using the default credentials.
    2. Select the user icon at the bottom left corner of the screen and select User Profile.
    3. Select Update Password.
    4. Enter the current and the new password and Save.
      You will be logged out from the current session as soon as the password is reset.

    © 2026 Palo Alto Networks, Inc. All rights reserved.