>
    Configure Panorama Appliances in High Availability for Panorama Managed Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Access
    4. Activate and Install the Prisma Access Components
    5. Configure Panorama Appliances in High Availability for Panorama Managed Prisma Access
    Download PDF

    Configure Panorama Appliances in High Availability for Panorama Managed Prisma Access

    Table of Contents

    Configure Panorama Appliances in High Availability for Panorama Managed Prisma Access

    An overview and the task you perform to configure a Panorama Managed Prisma Access deployment in High Availability (HA).
    Deploying Panorama appliances in a high availability (HA) configuration provides redundancy in case of a system or network failure and ensures that you have continuous connectivity to Prisma Access. In an HA configuration, one Panorama appliance peer is the active-primary and the other is the passive-secondary. In the event of a failover, the secondary peer becomes active and takes over the role of managing Prisma Access.
    To simplify the HA set up, configure the Panorama appliances in HA after you purchase Prisma Access and Strata Logging Service auth codes and components and associate the serial number of the primary Panorama appliance on which you plan to install the Cloud Services plugin with the auth codes, but before you Activate and Install Panorama Managed Prisma Access. However, you can also use this process to configure existing Panorama appliances that already have the plugin installed.
    Whether you are just getting started with a new pair of Panorama appliances, or you have already set up your standalone Panorama appliance and completed the licensing and installation procedures, make sure to check the prerequisites before you enable HA:
    • You must register the Panorama appliance HA peers to the same customer account on the Customer Support Portal (CSP).
    • The Panorama appliance peers must be of the same form factor (hardware appliances of the same model or identical virtual appliances) and same OS version and must have the same set of licenses. The premium support license is required for Prisma Access and Strata Logging Service.
    • The serial number of the primary Panorama appliance is tied to your Prisma Access and Strata Logging Service auth codes. If you have installed and set up the plugin on a standalone Panorama appliance, ensure that you use that Panorama appliance as the primary peer. If you need to assign this standalone peer as the secondary Panorama appliance, contact Palo Alto Networks support for assistance with transferring the license to the primary Panorama appliance peer before you continue.
    If you disable HA for a Panorama pair and revert to a configuration where a single Panorama manages Prisma Access, you must re-verify your account to prevent errors when retrieving the status of Prisma Access components.
    To set up your Panorama appliances in an HA configuration, complete the following steps.
    1. Set Up HA on Panorama.
      Set the primary Panorama appliance as Primary and the secondary Panorama appliance as Secondary and be sure that the serial number of your primary Panorama appliance is tied to your Prisma Access and Strata Logging Service auth codes.
    2. Make sure that the primary (active) and secondary (passive) Panorama appliances are synchronized and that the HA link state between them is up.
      1. Access the Dashboard on the primary Panorama appliance and select WidgetsSystemHigh Availability to display the HA widget.
      2. Sync to peer, click Yes, and wait for the Running Config to display Synchronized.
      3. Make sure that the Local peer is active.
      4. Access the Dashboard on the passive Panorama appliance and select WidgetsSystemHigh Availability to display the HA widget.
      5. Verify that the Running Config displays Synchronized.
      6. Make sure that the Local peer is passive.
    3. Install the Prisma Access components on the primary Panorama appliance.
      1. Log in to the primary Panorama appliance and select PanoramaLicenses.
      2. Click Retrieve the license keys from license server.
      3. Activate and Install Panorama Managed Prisma Access, including generating a one-time password (OTP) and verifying your account.
    4. Check that HA is enabled.
      1. On the primary Panorama appliance, Access the CLI and enter the following operational command:
        tail follow yes mp-log plugin_cloud_services.log
      2. Find the following text in the log output, where X is the serial number of the primary Panorama appliance and Y is the serial number of the secondary Panorama appliance:
        2017-11-06 15:14:07.790 -0800 INFO: [hainfo] Sending update to CSP for HA peer serial information to https://updates.paloaltonetworks.com/licensesvc/licenseservice.asmx/PanoramaHAInfo (https://updates.paloaltonetworks.com/licensesvc/licenseservice.asmx/PanoramaHAInfo)

2017-11-06 15:14:07.791 -0800 INFO: [hainfo] Data string is primarypanoramasn=<varname>X</varname> &secondarypanoramasn=<varname>Y</varname>

2017-11-06 15:14:17.595 -0800 INFO: [hainfo] HTTP_CODE 200, RESPONSE: <?xml version="1.0" encoding="utf-8"?> <PanoramaHA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance (http://www.w3.org/2001/XMLSchema-instance)" xmlns:xsd="http://www.w3.org/2001/XMLSchema (http://www.w3.org/2001/XMLSchema)" xmlns="http://www.paloaltonetworks.com/ (http://www.paloaltonetworks.com/)"> <success>true</success>
</PanoramaHA>

2017-11-06 15:14:17.596 -0800 INFO: [hainfo] Cached HA Peer's serial number <varname>Y</varname>
      3. Log in to the Customer Support Portal (CSP) and select AssetsCloud Services to verify that both Panorama peers are tied to your Prisma Access and Strata Logging Service licenses.
      4. Check the fields for the primary and secondary Panorama appliance.
        The Auth Code, Model Name, License Description, and Expiration Date fields should be the same for the primary and secondary Panorama appliance, because Palo Alto Networks has associated the Prisma Access license automatically to the secondary Panorama appliance.
    5. Log in to the secondary Panorama appliance and Activate and Install Panorama Managed Prisma Access.
      When you log in to the Customer Support Portal (CSP) to generate the OTP, make sure that you specify the serial number for the secondary Panorama appliance.
    6. Commit your changes on the primary and secondary Panorama appliance.
      1. CommitCommit and Push your changes.
      2. Click OK and Push.
    7. Verify that the primary and secondary Panorama appliances are still in a synchronized state.

    © 2024 Palo Alto Networks, Inc. All rights reserved.