>
    Strata Copilot
    Configure SD-WAN Devices in HA Mode
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. Enable SD-WAN with Auto VPN
    4. Configure SD-WAN Devices in HA Mode
    Download PDF
    SD-WAN

    Configure SD-WAN Devices in HA Mode

    Table of Contents

    Configure SD-WAN Devices in HA Mode

    Configure Active/Passive HA for two SD-WAN branches or hubs.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Advanced SD-WAN for NGFW
    You can configure two firewalls as a branch in active/passive HA mode (or two firewalls as a hub in active/passive HA mode) to be part of your SD-WAN environment. In this case, Panorama™ needs to push the same configuration to the active peer and the passive peer, rather than treat the two firewalls individually. To make that happen, you configure active/passive HA before adding the devices for SD-WAN, so that Panorama is aware the devices are HA peers and pushes the same configuration to them. (Only HA active/passive mode is supported.)
    Read through the following procedure before you begin so you don’t Commit after adding your HA peers as SD-WAN devices.
    In HA, the firewall does not synchronize SD-WAN session distribution statistics. After an HA failover, the session distribution statistics display only statistics of new sessions; statistics of existing sessions are lost.

    Versions Earlier Than 3.4.0

    Configure active/passive HA for two SD-WAN branches or hubs for the versions earlier than SD-WAN plugin 3.4.0 release.
    1. Before you enable SD-WAN on your HA peers, configure active/passive HA on two firewall models that support SD-WAN.
    2. Add the HA peers as SD-WAN devices, but don’t perform the last step to Commit.
    3. In Panorama, select PanoramaManaged DevicesSummary.
    4. At the bottom of the screen, select Group HA Peers. Confirm that under the Status display, the HA Status column includes the two firewalls, one active and one passive. Panorama is aware of the HA status and will push the same SD-WAN configuration to the two HA peers when you commit.
    5. Commit and Commit and Push.

    3.4.0 and Later

    Configure HA peers simultaneously from a single window while adding the SD-WAN firewall branches and hubs, ensuring configuration consistency between the active and passive devices.
    (PAN-OS 12.1.2 and later releases, SD-WAN 3.4.0 and later releases) (Mandatory for HA peers) Configure high availability (HA) devices in SD-WAN with consistent configuration and ease of management.
    In a SD-WAN infrastructure, managing high availability (HA) device configurations has been a challenging and error-prone process. To simplify the HA firewalls, we provide a single-window configuration that automatically synchronizes settings between active and passive devices, thereby reducing the potential for configuration mismatches.
    When you upgrade SD-WAN plugin from an earlier version to 3.4.0, the configuration between HA peers will be synchronized automatically (if the devices were already added before upgrade).
    1. Log in to the Panorama web interface.
    2. Navigate to PanoramaSD-WANDevices and select the active device in the HA pair.
    3. Enable Add HA Peer. When enabled, the SD-WAN plugin will automatically discover the HA peer and populates the HA Peer Name.
      • You can’t add HA firewall pairs individually. Configure both active and passive firewalls together by enabling the Add HA Peer option.
      • Configuration changes synchronize automatically between HA peer devices.
      • (For Prisma® Access devices only) Note the following before Prisma® Access configuration:
        • Prisma Access interfaces added on active devices don’t appear in passive device configuration leading to configuration inconsistency between HA peers.
        • Adding Prisma Access configuration to passive devices results in an error. Therefore, you must only add the Prisma Access configuration on the active device.
        • Empty Prisma Access configuration on passive device does not impact active device configuration. Active device Prisma Access configuration remains preserved despite passive being unconfigured.
    4. (Mandatory) Enter the HA Peer Site name for the HA peer device (or secondary device) to identify the geographical location or purpose of the device.
      • It's mandatory to specify the site name for the HA peer device configuration.
      • The HA Peer Site name supports all upper-case and lower-case alphanumerical and special characters. Site names can’t contain spaces.
    5. Select OK.
      If there is a mismatch between the active and passive Panorama configurations, a warning symbol appears next to the device name in the SD-WAN devices list. In this case, perform the following steps:
      • Select the Warning icon to view a more detailed warning message.
      • Review the configuration differences.
      • Select Add HA Peer to synchronize configurations.
      • Delete the passive device and add it again by enabling Add HA Peer on the active device.
      Generally, a warning message appears when the firewall was configured and added separately before converting to a HA pair. You will also encounter the warning when active and passive firewalls have different configurations.
    6. Commit and Commit and Push.

    © 2025 Palo Alto Networks, Inc. All rights reserved.