: Configure HA Devices for SD-WAN
Focus
Focus

Configure HA Devices for SD-WAN

Table of Contents

Configure HA Devices for SD-WAN

Configure Active/Passive HA for two SD-WAN branches or hubs.
You can configure two firewalls as a branch in active/passive HA mode (or two firewalls as a hub in active/passive HA mode) to be part of your SD-WAN environment. In this case, Panorama™ needs to push the same configuration to the active peer and the passive peer, rather than treat the two firewalls individually. To make that happen, you configure active/passive HA before adding the devices for SD-WAN, so that Panorama is aware the devices are HA peers and pushes the same configuration to them. (Only HA active/passive mode is supported.)
Read through the following procedure before you begin so you don’t Commit after adding your HA peers as SD-WAN devices.
In HA, the firewall does not synchronize SD-WAN session distribution statistics. After an HA failover, the session distribution statistics display only statistics of new sessions; statistics of existing sessions are lost.
  1. Before you enable SD-WAN on your HA peers, configure Active/Passive HA on two firewall models that support SD-WAN.
  2. Add the HA peers as SD-WAN devices, but don’t perform the last step to Commit.
  3. In Panorama, select PanoramaManaged DevicesSummary.
  4. At the bottom of the screen, select Group HA Peers. Confirm that under the Status display, the HA Status column includes the two firewalls, one Active and one Passive. Panorama is aware of the HA status and will push the same SD-WAN configuration to the two HA peers when you commit.
  5. Commit and Commit and Push.

Convert Standalone Panorama to Panorama HA/Replace a HA Peer

(SD-WAN plugin 2.2.7 and later 2.2 versions) If you have configured SD-WAN on a standalone Panorama management server and want to convert it as one of the Panorama HA peers, you can do so by following the below steps. You can perform this conversion while retaining the existing SD-WAN configuration. The converted standalone Panorama can act as an active or a passive HA peer.
  1. On the new Panorama management server, configure the management IP address, configure HA, and install the appropriate licenses.
    If you have configured the converted Standalone Panorama as an active Panorama HA peer, then you must configure the new Panorama as a passive HA peer.
  2. (On Active HA peer only) (Mandatory) After configuring the active and passive Panorama, you must synchronize the mongoDB SD-WAN collections by executing the debug plugins sd_wan mongo-db sync-db-to-peer command manually.
  3. (On Active HA peer only) Synchronize the HA peers.
  4. (Optional) (To replace a Panorama HA peer) To perform an RMA for the Panorama HA peers, configure the replaced or new firewall only as a passive HA peer, and repeat the steps 1 through 3.