Panorama > High Availability
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Panorama > High Availability
To enable high availability (HA) on Panorama, configure
the settings as described in the following table.
Panorama HA Settings | Description |
---|---|
Setup Click Edit ( | |
Enable HA | Select to enable HA. |
Peer HA IP Address | Enter the IP address of the MGT interface
on the peer. |
Enable Encryption | When enabled, the MGT interface encrypts
communication between the HA peers. Before enabling encryption,
export the HA key from each HA peer and import the key into the
other peer. You import and export the HA key on the PanoramaCertificate ManagementCertificates page (see Manage
Firewall and Panorama Certificates). HA connectivity
uses TCP port 28 with encryption enabled and TCP port 28769 when
encryption is not enabled. |
Monitor Hold Time (ms) | Enter the number of milliseconds that the
system will wait before acting on a control link failure (range
is 1,000 to 60,000; default is 3,000). |
Election Settings Click
Edit ( | |
Priority (Required on the Panorama virtual appliance) | This setting determines which peer is the
primary recipient for firewall logs. Assign one peer as Primary and
the other as Secondary in the HA pair. When
you configure Log
Storage Partitions for a Panorama Virtual Appliance in Legacy Mode,
you can use its internal disk (default) or a Network File System
(NFS) for log storage. If you configure an NFS, only the primary
recipient receives the firewall logs. If you configure internal
disk storage, the firewalls send logs to both the primary and the
secondary peer by default but you can change this by enabling Only
Active Primary Logs to Local Disk in the Logging
and Reporting Settings. |
Preemptive | Select to enable the primary Panorama to
resume active operation after recovering from a failure. When disabled,
the secondary Panorama remains active even after the primary Panorama
recovers from a failure. |
HA Timer Settings | Your selection determines the values for
the remaining HA election settings, which control the failover speed:
See
the Recommended and Aggressive values
for the following settings. |
Promotion Hold Time (ms) | Enter the number of milliseconds (range
is 0 to 60,000) the secondary Panorama peer waits before taking
over after the primary peer goes down. The recommended (default)
value is 2,000; the aggressive value is 500. |
Hello Interval (ms) | Enter the number of milliseconds (range
is 8,000 to 60,000) between hello packets that are sent to verify
that the other peer is operational. The recommended (default) and
aggressive value is 8,000. |
Heartbeat Interval (ms) | Specify the frequency in milliseconds (range
is 1,000 to 60,000) at which Panorama sends ICMP pings to the HA
peer. The recommended (default) value is 2,000; the aggressive value
is 1,000. |
Preemption Hold Time (min) | This field applies only if you also select Preemptive.
Enter the number of minutes (range is 1 to 60) the passive Panorama
peer will wait before falling back to active status after it recovers
from an event that caused failover. The recommended (default) and
aggressive value is 1. |
Monitor Fail Hold Up Time (ms) | Specify the number of milliseconds (range
is 0 to 60,000) Panorama waits after a path monitor failure before
attempting to re-enter the passive state. During this period, the
passive peer is not available to take over for the active peer in
the event of failure. This interval enables Panorama to avoid a
failover due to the occasional flapping of neighboring devices.
The recommended (default) and aggressive value is 0. |
Additional Master Hold Up Time (ms) | Specify the number of milliseconds (range
is 0 to 60,000) during which the preempting peer remains in the
passive state before taking over as the active peer. The recommended
(default) value is 7,000; the aggressive value is 5,000. |
Path Monitoring Click
Edit ( | |
Enabled | Select to enable path monitoring. Path monitoring
enables Panorama to monitor specified destination IP addresses by
sending ICMP ping messages to verify that they are responsive. |
Failure Condition | Select whether a failover occurs when Any or All of
the monitored path groups fail to respond. |
Path Group To create
a path group for HA path monitoring, click Add and
complete the following fields. | |
Name | Specify a name for the path group. |
Enabled | Select to enable the path group. |
Failure Condition | Select whether a failure occurs when Any or All of
the specified destination addresses fails to respond. |
Ping Interval | Specify the number of milliseconds between
the ICMP echo messages that verify that the path to the destination
IP address is up (range is 1,000 to 60,000; default is 5,000). |
Ping Count | Specify the number of failed pings before
declaring a failure (range is 3 to 10; default is 3). |
Destination IPs | Enter one or more destination IP addresses
to monitor. Use commas to separate multiple addresses. |