: Set Up HA on Panorama
Focus
Focus

Set Up HA on Panorama

Table of Contents
End-of-Life (EoL)

Set Up HA on Panorama

Review the Panorama HA Prerequisites before performing the following steps.
If you configure Secure Communication Settings between Panorama HA peers, the Panorama HA peers use the custom certificate specified for authentication one another. Otherwise, the Panorama HA peers use the predefined certificate for authentication.
Regardless of how you configure the Panorama HA peers to authenticate communication, neither will impact the ability for the Panorama HA peers to communicate with one another.
  1. Set up connectivity between the MGT ports on the HA peers.
    The Panorama peers communicate with each other using the MGT port. Make sure that the IP addresses you assign to the MGT port on the Panorama servers in the HA pair are routable and that the peers can communicate with each other across your network. To set up the MGT port, see Perform Initial Configuration of the Panorama Virtual Appliance or Perform Initial Configuration of the M-Series Appliance.
    Pick a Panorama peer in the pair and complete the remaining tasks.
  2. Enable HA and (optionally) enable encryption for the HA connection.
    1. Select PanoramaHigh Availability and edit the Setup section.
    2. Select Enable HA.
    3. In the Peer HA IP Address field, enter the IP address assigned to the peer Panorama.
    4. In the Peer HA Serial field, enter the serial number of the peer Panorama.
      Enter the Panorama HA peer serial number to reduce your attack surface against brute force attacks on the Panorama IP.
    5. In the Monitor Hold Time field, enter the length of time (milliseconds) that the system will wait before acting on a control link failure (range is 1000-60000, default is 3000).
    6. If you do not want encryption, clear the Encryption Enabled check box and click OK: no more steps are required. If you do want encryption, select the Encryption Enabled check box, click OK, and perform the following tasks:
      1. Select PanoramaCertificate ManagementCertificates.
      2. Select Export HA key. Save the HA key to a network location that the peer Panorama can access.
      3. On the peer Panorama, navigate to PanoramaCertificate ManagementCertificates, select Import HA key, browse to the location where you saved the key, and import it.
  3. Set the HA priority.
    1. In PanoramaHigh Availability, edit the Election Settings section.
    2. Define the Device Priority as Primary or Secondary. Make sure to set one peer as primary and the other as secondary.
      If both peers have the same priority setting, the peer with the higher serial number will be placed in a suspended state.
    3. Define the Preemptive behavior. By default preemption is enabled. The preemption selection—enabled or disabled—must be the same on both peers.
      If you are using an NFS for logging and you have disabled preemption, to resume logging to the NFS see Switch Priority after Panorama Failover to Resume NFS Logging.
  4. To configure path monitoring, define one or more path groups.
    The path group lists the destination IP addresses (nodes) that Panorama must ping to verify network connectivity.
    Perform the following steps for each path group that includes the nodes that you want to monitor.
    1. Select PanoramaHigh Availability and, in the Path Group section, click Add.
    2. Enter a Name for the path group.
    3. Select a Failure Condition for this group:
      • any triggers a path monitoring failure if any one of the IP addresses becomes unreachable.
      • all triggers a path monitoring failure only when none of the IP addresses are reachable.
    4. Add each destination IP address you want to monitor.
    5. Click OK. The Path Group section displays the new group.
  5. (Optional) Select the failure condition for path monitoring on Panorama.
    1. Select PanoramaHigh Availability and edit the Path Monitoring section.
    2. Select a Failure Condition:
      • all triggers a failover only when all monitored path groups fail.
      • any triggers a failover when any monitored path group fails.
    3. Click OK.
  6. Commit your configuration changes.
    Select CommitCommit to Panorama and Commit your changes.
  7. Configure the other Panorama peer.
    Repeat Step 2 through Step 6 on the other peer in the HA pair.
  8. Synchronize the Panorama peers.
    1. Access the Dashboard on the active Panorama and select WidgetsSystemHigh Availability to display the HA widget.
    2. Sync to peer, click Yes, and wait for the Running Config to display Synchronized.
    3. Access the Dashboard on the passive Panorama and select WidgetsSystemHigh Availability to display the HA widget.
    4. Verify that the Running Config displays Synchronized.
  9. (Optional) Set Up Authentication Using Custom Certificates Between HA Peers.
    You must configure the Secure Communication Settings for both Panorama HA peers. Configuring Secure Communication Settings for Panorama in HA configuration does not impact HA connectivity between the HA peers. However, functionality that goes over the Secure Communication link may fail if the Secure Communication Settings are configured incorrectly, or if the HA peer or managed firewalls do not have the correct certificate, or have an expired certificate.
    All traffic on the link established by configuring the Secure Communication Settings is always encrypted.
    If you configure Secure Communication Settings for Panorama in a HA configuration, it is required to Customize Secure Server Communication as well. Otherwise, managed firewalls and WildFire appliances are unable to connect to Panorama and PAN-OS functionality is impacted.