>
    Strata Copilot
    Convert SD-WAN enabled Standalone Panorama to Panorama HA
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. Convert SD-WAN enabled Standalone Panorama to Panorama HA
    Download PDF
    SD-WAN

    Convert SD-WAN enabled Standalone Panorama to Panorama HA

    Table of Contents

    Convert SD-WAN enabled Standalone Panorama to Panorama HA

    Workflow for converting an SD-WAN enabled Panorama management server to a Panorama HA peer for specific SD-WAN plugin versions.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by PAN-OS or Panorama)
    We help you convert a standalone Panorama management server to HA peers. This enables you to convert Panorama servers as active and passive HA peers to form a HA cluster. To convert a standalone Panorama to HA Panorama, you must have downloaded one of the following SD-WAN plugin versions:
    • SD-WAN plugin 2.2.7
    • SD-WAN plugin 3.0.8
    • SD-WAN plugin 3.2.2
    • SD-WAN plugin 3.3.2
    • SD-WAN plugin 2.2.7-h5 or later versions
    • SD-WAN plugin 3.2.3-h2 or later versions
    • SD-WAN plugin 3.3.3 or later versions
    Before conversion ensure that all the device template and device group of the SD-WAN devices are in synchronization with the current Panorama. If a failure occurs on the primary peer after the standalone Panorama has been converted to HA cluster, it automatically fails over and the secondary peer will become active.
    Follow this workflow to convert an SD-WAN-enabled Panorama management server to a Panorama HA peer.

    SD-WAN Plugin 2.2.7, 3.0.8, 3.2.2, and 3.3.2 Versions

    Workflow for converting a SD-WAN enabled Panorama management server to a Panorama HA peer for SD-WAN plugin 2.2.7, 3.0.8, 3.2.2, and 3.3.2 versions.
    1. In Panorama, go to Managed DevicesSummary and Export the CSV file from the standalone Panorama management server.
    2. Configure the new Panorama management server.
      1. Install the same OS version as the primary active firewall.
      2. Configure the management IP address.
      3. Install all the required plugins, application version, and antivirus version same as the primary active firewall.
      4. Execute the commit force CLI command to commit the changes forcefully.
    3. Configure the IP address for the newly deployed Panorama as the secondary IP address of Panorama in the Panorama settings (under device template of the devices managed by standalone Panorama), commit and push the changes to all the devices.
    4. Configure high availability (HA).
      1. On the standalone Panorama management server:
        1. Navigate to PanoramaHigh AvailabilitySetup and configure the IP address and serial number of the newly deployed Panorama.
        2. Navigate to PanoramaHigh AvailabilityElection Settings, disable Preemptive, set priority to primary and commit the changes.
      2. On the newly deployed Panorama management server.
        1. Navigate to PanoramaHigh AvailabilitySetup and configure the IP address and serial number of the standalone Panorama, which is already managing the network.
        2. Navigate to PanoramaHigh AvailabilityElection Settings, disable Preemptive, set priority to secondary and commit the changes.
      3. Once HA is committed, the new Panorama joins the HA cluster. Initially, the running configuration won’t be synchronized, and differences will appear in the HA dashboard.
      4. Address the configuration differences by ensuring the correct versions of applications, antivirus, SD-WAN plugins, and any other required plugins are installed.
    5. Resolve initial synchronization issues.
      1. Synchronization from active to passive Panorama will fail initially, showing an error message.
        Despite the failure, the authentication key (auth-key), templates, and device groups will be synchronized.
      2. Verify the synchronization by refreshing the passive Panorama web interface. The templates and Device Groups tabs should now be visible.
      3. Delete any duplicate entries under "No device group assigned."
    6. Configure Serial Numbers and Finalize Panorama Setup.
      1. Suspend the new Panorama management server using PanoramaHigh AvailabilityOperational Commands and Suspend local Panorama for high availability.
      2. Copy the serial numbers from the previously exported CSV file and add them to the newly deployed Panorama.
        Adding serial numbers does not generate the authentication key or trigger a commit.
      3. Wait for all firewalls to reflect their connection status (connected or disconnected) as seen in the active Panorama.
      4. Once statuses match, make the new Panorama functional by selecting Make local Panorama functional for high availability from PanoramaHigh AvailabilityOperational Commands, and delete all the duplicate entries present under No device group assigned.
    7. Synchronize databases.
      1. Run the following synchronization command on the active Panorama HA peer:
        debug plugins sd_wan mongo-db sync-db-to-peer
        If the result shows sync-in-progress, restart the configd process using:
        debug software restart process configd
      2. Reconnect the active Panorama and run the synchronization command again. If successful, the active and passive Panorama MongoDB will be synchronized.
    8. Synchronize and Verify.
      1. Synchronize the running configuration from active Panorama to passive Panorama to apply all settings.
      2. Verify both active and passive Panorama details in the HA dashboard.
      3. Check the MongoDB status by running:
        debug plugins sd_wan mongo-db sync-status
      4. Perform a force commit on the passive Panorama to finalize the setup.

    SD-WAN Plugin 2.2.7-h5 or Later, 3.2.3-h2 or Later, and 3.3.3 or Later Versions

    Workflow for converting a SD-WAN enabled Panorama management server to a Panorama HA peer for SD-WAN plugin 2.2.7-h5 or later, 3.2.3-h2 or later, and 3.3.3 or later versions.
    1. Configure the new Panorama management server.
      1. Install the same OS version as the primary active firewall.
      2. Configure the management IP address.
      3. Install all the required plugins, application version, and antivirus version same as the primary active firewall.
      4. Execute the commit force CLI command to commit the changes forcefully.
    2. Configure high availability (HA).
      1. On the standalone Panorama management server:
        1. Navigate to PanoramaHigh AvailabilitySetup and configure the IP address and serial number of the newly deployed Panorama.
        2. Navigate to PanoramaHigh AvailabilityElection Settings, enable Preemptive, set priority to primary and commit the changes.
      2. On the newly deployed Panorama management server.
        1. Navigate to PanoramaHigh AvailabilitySetup and configure the IP address and serial number of the standalone Panorama, which is already managing the network.
        2. Navigate to PanoramaHigh AvailabilityElection Settings, disable Preemptive, set priority to secondary and commit the changes.
      3. Once HA is committed, the new Panorama joins the HA cluster. Initially, the running configuration won’t be synchronized, and differences will appear in the HA dashboard.
      4. Address the configuration differences by ensuring the correct versions of applications, antivirus, SD-WAN plugins, and any other required plugins are installed.
    3. Configure the IP address for the newly deployed Panorama as the secondary IP address of Panorama in the Panorama settings (under device template of the devices managed by standalone Panorama) and commit the changes.
    4. Synchronize databases.
      1. Run the following synchronization command on the active Panorama HA peer:
        debug plugins sd_wan mongo-db sync-db-to-peer
        If the result shows sync-in-progress, restart the configd process using:
        debug software restart process configd
      2. Reconnect the active Panorama and run the synchronization command again. If successful, the active and passive Panorama MongoDB will be synchronized.
    5. Synchronize and Verify.
      1. Synchronize the running configuration from active Panorama to passive Panorama to apply all settings.
      2. Verify both active and passive Panorama details in the HA dashboard.
      3. Check the MongoDB status by running:
        debug plugins sd_wan mongo-db sync-status
      4. Perform a force commit on the passive Panorama to finalize the setup.
    6. Commit and push the changes from active Panorama to all the firewalls to configure the secondary Panorama IP address.

    © 2026 Palo Alto Networks, Inc. All rights reserved.