https://live.paloaltonetworks.com/t5/general-topics/active-passive-ha-setup-with-existing-production-firewall/m-p/125565#M46438 <P>Thanks for the Info. This helped.</P> Thu, 10 Nov 2016 13:12:41 GMT Bvance 2016-11-10T13:12:41Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-ha-setup-with-existing-production-firewall/m-p/123351#M46220 <P>I have a second PA-500 I need to add to an existing production PA-500 for active/passive HA. I have read the admin guide for HA setup, but it appears to be for two pre-production&nbsp;firewalls. Are there any special precautions I need to take into account so that the post production firewall syncs it's config to the new firewall? The admin guide dosen't seem to say.</P><P>&nbsp;</P><P>Thanks,</P> Wed, 02 Nov 2016 18:33:55 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-ha-setup-with-existing-production-firewall/m-p/123351#M46220 Bvance 2016-11-02T18:33:55Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-ha-setup-with-existing-production-firewall/m-p/123381#M46222 <P>Hi,</P><P>&nbsp;</P><P>l haven't&nbsp;done much of HA set-ups but make sure you do have a local backup copy of your configuration (somewhere&nbsp;on your MGMT station).</P><P>Then just follow the&nbsp;guide, make a priority to be higher (lower number)&nbsp;on the current running box with preemption&nbsp;is enabled. Can also disable config sync while doing configuration, after all tested enable it back.&nbsp;</P><P>&nbsp;</P><P>Cheers,</P><P>Myky</P> Wed, 02 Nov 2016 19:02:16 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-ha-setup-with-existing-production-firewall/m-p/123381#M46222 TranceforLife 2016-11-02T19:02:16Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-ha-setup-with-existing-production-firewall/m-p/124589#M46332 <P>i'd first enable HA on the production firewall without connecting the new one just yet</P> <P>&nbsp;</P> <P>once the config is committed it will show as an active member and the cluster is broken (because the secondary member is 'down')</P> <P>&nbsp;</P> <P>next, configure the second member's basics: HA config, management config (leave everything else default) and make sure it's device priority in HA is <STRONG>higher</STRONG> than the active member (higher number = lower priority) and cluster ID is identical</P> <P>once that configuration is committed, suspend the secondary's HA functionality</P> <PRE>&gt; request high-availability state suspend </PRE> <P>next, hook up the HA cables and wait until member 1 reports the cluster is connected</P> <P>&nbsp;</P> <P>once HA is up (there will be error messages as the config is out of sync) perform a sync-to-peer on the primary unit:</P> <P>&nbsp;</P> <PRE> &gt; request high-availability sync-to-remote running-config</PRE> <P>this will send the active configuration to the new device and commit it</P> Mon, 07 Nov 2016 11:09:47 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-ha-setup-with-existing-production-firewall/m-p/124589#M46332 reaper 2016-11-07T11:09:47Z https://live.paloaltonetworks.com/t5/general-topics/active-passive-ha-setup-with-existing-production-firewall/m-p/125565#M46438 <P>Thanks for the Info. This helped.</P> Thu, 10 Nov 2016 13:12:41 GMT https://live.paloaltonetworks.com/t5/general-topics/active-passive-ha-setup-with-existing-production-firewall/m-p/125565#M46438 Bvance 2016-11-10T13:12:41Z