SD-WAN
3.4.0 and Later
Table of Contents
3.4.0 and Later
Configure HA peers simultaneously from a single window while adding the SD-WAN firewall branches and hubs, ensuring configuration consistency between
the active and passive devices.
(PAN-OS 12.1.2 and later releases, SD-WAN 3.4.0 and
later releases) (Mandatory for HA peers) Configure high
availability (HA) devices in SD-WAN with consistent configuration and
ease of management.
In a SD-WAN infrastructure, managing high availability (HA)
device configurations has been a challenging and error-prone process. To simplify
the HA firewalls, we provide a single-window configuration that automatically
synchronizes settings between active and passive devices, thereby reducing the
potential for configuration mismatches.
When you upgrade
SD-WAN plugin from an earlier version to 3.4.0, the
configuration between HA peers will be synchronized automatically (if the
devices were already added before upgrade).
- Log in to the Panorama web interface.Navigate to and select the active device in the HA pair.Enable Add HA Peer. When enabled, the SD-WAN plugin will automatically discover the HA peer and populates the HA Peer Name.
![]()
- You can’t add HA firewall pairs individually. Configure both active and passive firewalls together by enabling the Add HA Peer option.
- Configuration changes synchronize automatically between HA peer devices.
- (For Prisma® Access devices only) Note the following before
Prisma® Access configuration:
- Prisma Access interfaces added on active devices don’t appear in passive device configuration leading to configuration inconsistency between HA peers.
- Adding Prisma Access configuration to passive devices results in an error. Therefore, you must only add the Prisma Access configuration on the active device.
- Empty Prisma Access configuration on passive device does not impact active device configuration. Active device Prisma Access configuration remains preserved despite passive being unconfigured.
(Mandatory) Enter the HA Peer Site name for the HA peer device (or secondary device) to identify the geographical location or purpose of the device.- It's mandatory to specify the site name for the HA peer device configuration.
- The HA Peer Site name supports all upper-case and lower-case alphanumerical and special characters. Site names can’t contain spaces.
Select OK.If there is a mismatch between the active and passive Panorama configurations, a warning symbol appears next to the device name in the SD-WAN devices list. In this case, perform the following steps:- Select the Warning icon to view a more detailed warning message.
- Review the configuration differences.
- Select Add HA Peer to synchronize configurations.
- Delete the passive device and add it again by enabling Add HA Peer on the active device.
Generally, a warning message appears when the firewall was configured and added separately before converting to a HA pair. You will also encounter the warning when active and passive firewalls have different configurations.Commit and Commit and Push.
