: Panorama > Firewall Clusters
Focus
Focus

Panorama > Firewall Clusters

Table of Contents

Panorama > Firewall Clusters

Configure and view CN-Series and PA-Series clusters.
  • PanoramaFirewall Clusters
(Available on CN-Series and PA-7500 Series Firewalls Only) Create and configure a CN-Series or PA-Series firewall cluster, view the cluster summary, and monitor health information in Panorama under Firewall Clusters. Only PA-7500 Series firewalls support PA-Series firewall clusters.
You must install a Panorama Clustering plugin version (that is compatible with the PAN-OS version) from DevicePlugins to view the cluster details under Firewall Clusters.

Create and Edit a Firewall Cluster

Select Create Cluster to create a cluster and specify the type; click OK. Then select the cluster to access the Edit Cluster screen, where you select the members and further configure the cluster.
To control which clusters are displayed for editing, in the Clusters field, select CN-Series, PA-Series, or All Clusters.
FieldDescription
Cluster Name
Enter a cluster name containing zero or more alphanumeric characters, underscores (_), hyphens (-), dots (.), or spaces.
Cluster Type
Select the type of cluster: CN (CN-Series cluster) or PA (PA-Series cluster, which is an NGFW cluster).
Description
Enter a description of the cluster.
Group ID
Enter a Group ID in the range 1 to 63; default is 1. The Group ID helps differentiate MAC addresses when two HA pairs (or an HA pair and an NGFW cluster) in the same Layer 2 network share MAC addresses.
Members
Select the members of the cluster
For a PA-Series cluster:
  • The members must be no more than two PA-7500 Series firewalls.
  • Only PA-7500 Series firewalls appear in the list of potential members.
  • The first node that you select as a cluster member automatically becomes Node 1.
General
Device
(PA-Series Clusters only) Device serial number; not configurable.
ID
(PA-Series Clusters only) Node ID (1 or 2); not configurable. The node that you select first when selecting cluster members automatically becomes Node 1.
Communications
Inter Firewall Link
(PAN-OS 11.1.5 and later releases)
(PA-Series Clusters only) Select hsci-a to apply the Key Server Priority, Crypto Profile, and Pre Shared Key to that link. Then select hsci-b to apply the Key Server Priority, Crypto Profile, and Pre Shared Key to that link.
Key Server Priority
(PAN-OS 11.1.5 and later releases)
(PA-Series Clusters only) Enter the priority of the key server in the range from 0 to 255; default is 16. The lower the value, the higher the priority of the Key Server.
If the priority values for the HSCI-A links on the two nodes are equal, the node with the lower MAC address is the Key Server. The same is true of the priority values for the HSCI-B links. The Key Server (one of the nodes in the cluster) selects and advertises a cipher suite, and also generates the SAK from the CAK.
Crypto Profile
(PAN-OS 11.1.5 and later releases)
(PA-Series Clusters only) Select the MACsec Crypto Profile you created or select the default profile.
Pre Shared Key Profile
(PAN-OS 11.1.5 and later releases)
(PA-Series Clusters only) Select the Pre Shared Key profile you created.
System Monitoring
State Upon Capacity Loss
(PA-Series Clusters only) Select one of the following:
  • degraded—Specifies that the node state of the firewall will be identified as DEGRADED if the count of functional network cards or data processing cards goes below the configured Minimum Network Cards or Minimum Data Processing Cards, respectively.
  • failed—Specifies that the node state of the firewall will be identified as FAILED if the count of functional network cards or data processing cards goes below the configured Minimum Network Cards or Minimum Data Processing Cards, respectively.
Minimum Network Cards
(PA-Series Clusters only) Minimum number of network cards required to be functional; range is 1 to 7, default is 1. If the cluster drops below this minimum, the cluster state transitions to the State Upon Capacity Loss that you configured (degraded or failed).
Minimum Data Processing Cards
(PA-Series Clusters only) Minimum number of data processing cards required to be functional; range is 1 to 7, default is 1. If the cluster drops below this minimum, the cluster state transitions to the State Upon Capacity Loss that you configured (degraded or failed).

Summary View

View CN-Series and PA-Series firewall cluster summary.
View the information about the CN-Series or PA-Series clusters captured by the firewall in the last five minutes. Click the refresh button to load the latest details.
The cluster plugin visibility data is not in real time; it's delayed by a maximum of five minutes.
Field
Description
Cluster Name
Name of the firewall cluster.
Software Version
PAN-OS version.
Plugins Used on the Cluster
List of plugins used on the cluster.
Template Stack
Name of the template stack associated with the cluster.
Device Group
Name of the device group associated with the cluster.
Cluster State
(CN-Series cluster only) Displays whether the cluster is impacted or not.
(PA-Series cluster only) Displays the health of the cluster, which is derived from Node Status of all nodes in the cluster. Cluster state will be:
  • OK— If all nodes are in ONLINE state.
  • IMPACTED—If at least one node is in ONLINE state and the other node isn't in ONLINE state.
  • ERROR—If there isn't a single node in ONLINE state.
Cluster Type
Type of cluster (CN or PA).
Members Affected
Number of impacted cluster members and their names.
System Log Details
Details of the system events.
Specific Error
List of specific errors in the cluster. Click the link to view more details about the error under MonitorLogsSystem where you can view logs.
Pod Name
(CN-Series cluster only) Name of the pod.
CPU Count
Number of CPUs used.
Config Sync Status
(PA-Series Clusters only) Config synchronization status between Panorama and the firewalls in the PA cluster. Status can be In Sync or Out of Sync. After you successfully add firewalls to the cluster, commit, and push, the Config Sync Status displays as In Sync.
Last Commit State
(PA-Series Clusters only) State of the last attempted commit:
  • commit failed
  • commit succeeded
  • commit succeeded with warnings
  • commit reverted
Node Sync Status
(PA-Series Clusters only) Synchronization status of the Node Flow Table:
  • SYNC
  • UPDATING
  • OUT_OF_SYNC
Node Status
(PA-Series Clusters only) Possible status (states) of a cluster node:
  • UNKNOWN—Clustering is not enabled. Node remains in this state until a cluster configuration push from Panorama or a commit enables clustering.
  • INIT—Node transitions from UNKNOWN to INIT state after clustering is enabled. Node remains in INIT state until cluster initialization of node is complete. Node transitions to ONLINE state after a timeout.
  • ONLINE—Node is passing traffic and working as expected.
  • DEGRADED—Node transitions to DEGRADED state when a soft fault occurs. Node can transition from DEGRADED to INIT state if all the faults are resolved.
  • FAILED—Node transitions to FAILED state when a hard fault occurs. Node can transition from FAILED to INIT state if all the faults are resolved.
  • SUSPENDED—Triggered by administrator. Another cause of SUSPENDED state is if a node state flaps to DEGRADED or FAILED state repeatedly; the node is SUSPENDED after six flaps. An administrator can unsuspend the node. SUSPENDED state has traffic ports down and doesn't allow L7 continuity.

Monitoring

View CN-Series and PA-Series firewall cluster monitoring information.
View the CN-Series or PA-Series firewall cluster health information.
The cluster plugin visibility data is not in real time.
Field
Description
Managed Software Cluster
Select a firewall cluster.
Impacted
List of impacted firewall clusters.
  • CN Clusters or PA Clusters—Number of impacted CN-Series or PA-Series firewall clusters, respectively.
  • Clusters Impacted—List of clusters that are impacted.
Click to view detailed information about the clusters in the Interconnect Status and Cluster Utilization dashboards.
OK
List of firewall clusters that are not impacted.
  • CN-Clusters or PA Clusters—Number of CN-Series or PA-Series firewall clusters that are not impacted, respectively.
  • Clusters Impacted—List of clusters that are not impacted.
Click to view detailed information about the clusters in the Interconnect Status and Cluster Utilization dashboards.
Interconnect Status
View the cluster interconnect details for a selected time frame.
Select Last 5 Mins to view the following details.
  • Cluster Name—Name of the firewall cluster.
  • Cluster Type—Type of cluster (CN or PA).
  • Cluster Creation Time—Time of cluster creation.
  • Cluster State—Displays whether the cluster is impacted or not.
    • Current Cluster Detail—Click the cluster state link to view more details about the impacted cluster.
  • Cluster Interconnect State—Displays whether the cluster is impacted or not.
    • Current Cluster Detail—Click the interconnect state link to view more details about the impacted cluster.
  • Traffic Interconnect—Status of traffic interconnectivity.
  • External Connection—Status of external connectivity.
  • Impacted Links—Number of impacted links.
  • Management Connectivity—Number of management connections.
  • Impacted Cluster Member—List of impacted cluster members.
  • Time Stamp Hi-Res Uptime—Uptime time stamp.
  • Time Stamp Hi-Res Downtime—Downtime time stamp.
Selecting any time frame other than Last 5 Mins displays the following information only.
  • Cluster Name
  • Cluster Type
  • Cluster Creation Time
  • Current Cluster State
  • Cluster Interconnect Status
  • Traffic Interconnect
  • External Connection
Cluster Utilization
View the firewall cluster throughput, memory, and data utilization.
  • Cluster Name—Name of the firewall cluster.
    • Cluster Details—Click the cluster name link to view the throughput, memory, and data utilization details of the selected cluster.
  • Cluster Type—Type of cluster (CN or PA).
  • Cluster State—Displays the health of the cluster.
  • Cluster Throughput (gbps)—Firewall cluster throughput in Gbps.
  • CPS—Number of connections per second.
  • Session Count (Sessions)—Number of sessions.
  • Average Data Plane (%) Within Health Threshold—Average dataplane threshold in percentage.
  • Management Plane CPU (%)—Management plane CPU utilization in percentage.
  • Management Plane Mem (%)—Management plane memory utilization in percentage.
  • Logging Rate (Log/Sec)—Rate at which the logs are being generated on the cluster.
  • DP Auto-Scale Status—Dataplane autoscale details.