https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/581339#M2237 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;,</P> <P>&nbsp;</P> <P>Sorry for the late response.</P> <P>&nbsp;</P> <P>Thank you so much for your reply, it was really useful and can be accepted as a solution.</P> <P>&nbsp;</P> <P><SPAN>With the help of your instructions, we were able to integrate the device into the HA and panorama.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Kind Regards,</SPAN></P> <P><SPAN>Jorge Lopez</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 22 Mar 2024 12:34:35 GMT Jorge_Lopez 2024-03-22T12:34:35Z https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/579476#M2209 <P>One of our customers has a standalone&nbsp;PA-820 that is currently managed by Panorama.</P> <P><BR />They now want to add another PA-820 and form an HA Active/Passive peer with the one mentioned above.</P> <P>&nbsp;</P> <P>Checking PA documentation, I can only see references about how to integrate both HA peers or a standalone firewall&nbsp;but do not mention anything specific about how to add an HA peer to Panorama when the other peer is already managed by Panorama as a standalone.</P> <P>&nbsp;</P> <P>In particular, I have been checking the documents below:</P> <UL> <LI>Add a Firewall as a Managed Device --&gt; <A href="https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-managed-device" target="_blank">https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/add-a-firewall-as-a-managed-device</A></LI> <LI>How to add a locally managed firewall to panorama management --&gt; <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloRCAS</A></LI> <LI>Migrate a Firewall to Panorama Management and Reuse Existing Configuration --&gt; <A href="https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management" target="_blank">https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management</A></LI> </UL> <P>But no one of these documents mentions anything about what the customer wants.&nbsp;</P> <P>&nbsp;</P> <P><SPAN>The existing firewall should keep its configuration in panorama, just adding the HA functionality and becoming the primary node in the cluster. The new firewall should just be added to the existing firewall as a secondary node in the cluster.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks in advance to the community.</SPAN></P> Wed, 06 Mar 2024 15:11:43 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/579476#M2209 Jorge_Lopez 2024-03-06T15:11:43Z https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/579574#M2210 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/265212">@Jorge_Lopez</a></P> <P>&nbsp;</P> <P>thanks for posting.</P> <P>&nbsp;</P> <P>I have not done this exact scenario before. All HA Firewalls I managed were right from the initial setup managed by Panorama. If I were about to do the same what your customer is planning to do, I would follow below steps.</P> <P>&nbsp;</P> <P>1.)</P> <P>Install additional PA-820 and perform initial configuration (management interface) and download/install the same PAN-OS + Application/Threat version what other PA-820 is using.</P> <P>&nbsp;</P> <P>2.)</P> <P>In Panorama, register&nbsp;additional PA-820 in the same Device Group / Template Stack as existing Firewall,&nbsp;then push the configuration to new PA-820. If there is no issue, then I would proceed with HA configuration.&nbsp;If HA function is going to be managed through Panorama, then follow this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNG0CAO" target="_self">How to use one Template stack for a high availability Firewall Pair on Panorama</A>&nbsp;to set up Template for HA feature. Make sure that device priority is set correctly to make existing Firewall is primary active:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWPCA0" target="_self">Understanding Preemption with the Configured Device Priority in HA Active/Passive Mode</A>. If there is no error with pushing HA related configuration, then I would proceed with next step.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>3.)</P> <P>I would connect HA ports, then make sure that both Firewalls assume respective active role for existing Firewall and passive for new Firewall. If there is no issue with HA synchronization / incompatibility, then I would connect all data plane cables to new Firewall, then perform a failover to make sure there is no issue with traffic flow and interfaces, then fail back.</P> <P>&nbsp;</P> <P>To avoid risk, I would perform steps No. 2 and 3 during the same maintenance window and tested it with failover before closing maintenance window.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 07 Mar 2024 07:34:06 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/579574#M2210 PavelK 2024-03-07T07:34:06Z https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/581339#M2237 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;,</P> <P>&nbsp;</P> <P>Sorry for the late response.</P> <P>&nbsp;</P> <P>Thank you so much for your reply, it was really useful and can be accepted as a solution.</P> <P>&nbsp;</P> <P><SPAN>With the help of your instructions, we were able to integrate the device into the HA and panorama.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Kind Regards,</SPAN></P> <P><SPAN>Jorge Lopez</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 22 Mar 2024 12:34:35 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/581339#M2237 Jorge_Lopez 2024-03-22T12:34:35Z https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/588376#M2360 <P>For the new firewall how would you configure the public IP?</P> Thu, 30 May 2024 09:51:28 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/588376#M2360 David_Tolo 2024-05-30T09:51:28Z https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/588380#M2362 <P>The challenge I am running into is the current firewall is in production and I am remote.&nbsp; Everything is cabled up but the new firewall is unconfigured.</P> <P>&nbsp;</P> <P>The current firewalls configure from Panorama.</P> <P>&nbsp;</P> <P>I want to keep HA local instead of panorama manged.</P> <P>&nbsp;</P> <P>My thought is to configure HA local, commit it to the firewalls and then add the new firewall to the device group and template stack.&nbsp; The issue I am running into as soon as I commit the config on the active firewall it becomes passive and the network goes down.&nbsp; Fortunately I have the panorama setting comitt recovery enabled so it comes back up uncommited.</P> <P>&nbsp;</P> <P>I cant figure out how to prevent it from failing over.</P> Thu, 30 May 2024 10:01:30 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/add-to-panorama-a-new-firewall-to-form-an-ha-with-a-current/m-p/588380#M2362 David_Tolo 2024-05-30T10:01:30Z