: Panorama HA Prerequisites
Focus
Focus

Panorama HA Prerequisites

Table of Contents
End-of-Life (EoL)

Panorama HA Prerequisites

To configure Panorama in HA, you require a pair of identical Panorama servers with the following requirements on each:
  • The same form factor—The peers must be the same model: both M-700 appliances, both M-600 appliances, both M-500 appliances, both M-300 appliances, both M-200 appliances, or both deployed on the same supported hypervisor for Panorama virtual appliances. For example, to successfully configure HA for a Panorama virtual appliance deployed on AWS in Panorama mode, the HA peer must also be deployed on AWS and be in Panorama mode.
  • The same mode—The peers must be in the same Panorama mode: both running in Panorama mode, Management Only mode, or Legacy mode (ESXi and vCloud Air only).
    Panorama appliances in Log Collector mode do not support HA.
  • The same Panorama OS version—Must run the same Panorama version to synchronize configuration information and maintain parity for a seamless failover.
  • The same set of licenses—Must have the same firewall management capacity license.
  • (Panorama virtual appliance only) FIPCS-CC Mode—FIPS-CC mode must be enabled or disabled on both Panorama HA peers.
  • (Panorama virtual appliance only) Virtual Appliance Resources—Must have the same number of vCPU cores and memory allocated to successfully synchronize configuration information.
  • (Panorama virtual appliance only) Unique serial number—Must have unique serial numbers; if the serial number is the same for both Panorama instances, they will be in suspended mode until you resolve the issue.
While it is recommended to match the number of logging disk and the logging disk capacities between the Panorama HA peers, having a different number logging disks or different logging disk capacities between the Panorama HA peers does not impact configuration synchronization or HA failover
.
Panorama HA Organization
The Panorama servers in the HA configuration are peers and you can use either (active or passive) to centrally manage the firewalls, Log Collectors, and WildFire appliances and appliance clusters, with a few exceptions (see Synchronization Between Panorama HA Peers). The HA peers use the management (MGT) interface to synchronize the configuration elements pushed to the managed firewalls, Log Collectors, and WildFire appliances and appliance clusters to maintain state information. Typically, Panorama HA peers are geographically located in different sites, so you need to make sure that the MGT interface IP address assigned to each peer is routable through your network. HA connectivity uses TCP port 28 with encryption enabled. If encryption is not enabled, ports 28769 and 28260 are used for HA connectivity and to synchronize configuration between the HA peers. We recommend less than 500ms latency between the peers. To determine the latency, use Ping during a period of normal traffic.
Palo Alto Networks recommends you add at least three Log Collectors to your Collector Groups to avoid the Collector Group becoming inoperable if one Log Collector becomes inaccessible. See Changes to Default Behavior for Collector Groups for more information.