How to Configure High Availability on PAN-OS

by panagent on ‎05-14-2012 09:46 AM - edited on ‎09-14-2015 07:30 AM by (117,685 Views)


This document describes how to configure High Availability (HA) on a pair of identical Palo Alto Networks firewalls.

Note: This document does not address configuring HA for PA-200 devices.



Configure First Device

  1. Go to Network tab > Interfaces.



    The HA links should look similar to the following screenshot.


    1. Confirm the planned HA links are up.
    2. Configure both interfaces to be Interface Type HA.
    • Skip this step if configuring a pair of PA-3000, PA-4000 or PA-5000 Series devices. All other firewalls, including VM-Series, require specific ports to be configured as type HA.
  2. Go to Device tab > HIgh Availability > General.



    1. Locate the setup section.
    2. Click on the gear cog to view/edit the settings.
    3. Enable HA.
    4. Enter a group ID that matches both members.
    5. Enter an IP address for the Peer's Control LInk. This will be used in the next step.
    6. Enable Config Sync.
    • The cluster ID is used when creating the virtual MAC for L3 instances. When more than one cluster is on the same L2 network, the ID must be different on each cluster.
    • The Peer HA IP Address (Control Link) can be any IP address that isn't being used currently in the network.
    • It is recommended to add a Backup Peer HA IP Address if there are enough free ports.
  3. From the General tab, locate the Control Link section and click on Primary.



    1. Choose the first HA interface to be used for the first device's Control Link.
    2. Ener an IP address that is on the same subnet as the Peer HA IP address, configured in step 2.
    • If the Control Link is not directly connected to the other firewall, you may want to enable encryption (AES-256).
    • If the Control Link IPs are on separate broadcast domains, only the gateway needs to be configured, otherwise it's not needed.
  4. From the General tab, locate the Data Link section and click Primary:


    Notes: Transport Methods

    1. Choose the other HA interface to be used for the Data Link.
    2. Configure the IP information for the Data Link.
    3. Ensure the Enabled box is checked.
    • Ethernet: Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261).
    • IP: Use when Layer 3 transport is required (IP protocol number 99).
    • UDP: Use to take advantage of the fact the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281).
  5. From the General tab, locate the Election Settings section, and click the gear cog:


    1. To specify one of the firewalls as active, enable Preemptive on both firewalls and set the Device Priority.

      The device with the lowest Device Priority is the active device.

    2. To learn about all of the other settings here, click the ? in the top right corner for detailed explanations.
    3. When state synchronization is enabled; the session table, forwarding table, ARP table, and VPN Security Associations (SAs) are copied from the active device to the passive device over HA2.  When the passive device takes over, existing sessions will continue.
    4. If the devices have IP connectivity between the management IPs, it is recommended to enable the Heartbeat Backup, which send pings over the management interface.
  6. Commit the configuration.

    At this point, any Layer3 interface gets a new (shared) MAC address, and multiple gratuitous ARPs are sent out to each layer3 interface informing the attached switches of the new IP/MAC combination.


  7. Confirm the HA is active on the local firewall.

    The firewall’s status should show active and the other values should be unknown, as shown below:


    1. Go to the Dashboard tab.
    2. Add the High Availability widget.
    3. Widgets > System > High Availability.
  8. Configure the Peer Device.

  9. Refer to step 1, ensure the Peer device has two HA links configured to communicate to the first device’s HA links.


    1. Go to the setup section of the Peer Device and enable HA. Refer to step 2.
    2. Assign the same cluster ID as on the other device.
    3. Enter the IP address assigned to the other firewall’s Control Link.
    4. Enable Config Sync.
  10. From the General tab, locate the Control Link section and click on Primary.


    Note: If encryption is enabled on the First device, enable it here as well.

    1. Choose the first HA interface to be used for the Second Device’s Control Link.
    2. Enter an IP address that is on the same subnet as the Peer HA IP address configured in Step 8.
  11. From the General tab, locate the Data Link section and click on Primary:


    1. Choose the other HA interface to be used for the Data Link.
    2. Configure the IP information for the Data Link.
    3. Ensure the Enabled box is checked.
    4. Ensure the Transport drop-down matches the first device’s configuration.
  12. Replicate the settings on the First device with the exception of enabled Preemptive on the First device:


    For this configuration, Preemptive is off.

    1. Enable Preemptive.
    2. Configure the priority field. A higher number means lower priority.
  13. Commit the changes on the Second device:


  14. Go to the first device.


    1. Ensure it still shows as active and it sees the peer device as passive.
    2. Ensure all dynamic updates are synced.
    3. In this example Antivirus and GlobalProtect are not synced.
  15. Update as needed so everything matches, as shown below:


  16. Once everything matches on both devices, go to the active member's Dashboard tab and click Sync to peer. It should say synchronization in progress.


  17. Go to the second (passive) device's CLI and check the HA sync process by running:

    > show jobs all

    The first two attempts failed. Determine and fix the cause of the failure.


  18. To get more details on the failed job, run:

    > show jobs id <id number of the HA-Sync job>

    The first sync failure is ID 13.


    There is a security rule on the passive device named “Samir” that’s causing the HA-Sync process to fail. The rule is a shared rule from a previous Panorama configuration.

    Delete the rule and run the Sync to peer again from the Active Device’s Dashboard tab. The job finished successfully this time:


    High Availability is configured.

  19. Configure Link Monitoring and Path Monitoring (optional):


    1. Device tab > High Availability > Link and Path Monitoring tab.
    2. In this example, monitoring all links. This means, if any link state goes down on the active device a failover occurs.
    3. In this example, Path Monitoring is not configured.
    4. Click the “?” button, in the top right corner of the Link and Path Monitoring tab, to read about Link Monitoring and Path Monitoring.


owner: jseals

on ‎05-24-2012 03:38 AM

Thank you for this Document but is there also one available for configuring HA for PA-200 devices?

by npare
on ‎05-24-2012 08:36 AM

Hi Wilo,

Thank you for your feedback. The PA-200's support HA lite which is configured almost the same way as the other platforms except there are a few differences. A single port will act as both the HA1 and HA2 links, only active/passive is supported, and only the configuration gets synchronized, not the connections.

I wasn't able to find a document made specifically for the PA-200 so I put that on my todo list.

Basically you will need to configure an interface and set the type to HA (on each firewall). That port can be a data plane port or the management port. The rest of the configuration for the virtual IP will be the same as in this document.

by John_Lee
on ‎08-12-2015 11:00 PM


I am wondering that When HA2 Port's Transport type is set ethernet, IPv4 Address isn't not needed to configure

Is it right?

As far as i know, When I set about that, There was no the problem

by luancb
on ‎05-26-2016 12:34 AM

Select the Transport method. The default is ethernet, and will work when the HA pair is connected directly or through a switch. If you need to route the data link traffic through the network, select IP or UDP as the transport mode, enter the IPv4/IPv6 Address and Netmask.

by imranshahid
on ‎07-11-2017 06:11 AM

Also, you need to 1go to the devices>Dynamic Updates >Schedule > and make sure the Syn-To-Peer is checked, that way when the primary downloads the updates, they will be pushed down to HA2.



on ‎07-11-2017 06:16 AM

@imranshahid that's if you want the package to be synced

Depending on security stance, some companies opt to only receive updates from panorama, or have the members update with a hold time of several hours between them in case something breaks

by jdesoucey
on ‎01-29-2018 04:08 PM

But how do you setup multiple ports for multiple core switches?

on ‎01-30-2018 05:55 AM

hi @jdesoucey 

What do you mean exactly?

You can set an aggregate interface to HA mode to connect to several different switches for redundancy, and if you mean a fully separate core, you can set up HA backup links and have a secondary channel

by jdesoucey
on ‎01-30-2018 01:29 PM

 Thanks @reaper. Will look at the aggregate interface. Am trying to have both core layer 3 switches point to the same gateway IP address on the same active FW while also having them both connect to the passive FW at the same time.

on ‎01-31-2018 12:12 AM

hi @jdesoucey

I feel like your question is more of a design issue than how to connect the firewall HA interfaces? (the HA interfaces do not pass user traffic and are solely used to sync information between the HA members)

My recommendation will only work for HA interfaces


If my assumption is correct, would you mind scooting on over to the discussion forum and post your question there including a network design if possible so we can have a better look at what you're trying to accomplish? I'm sure there will be other people there that will also be able to chime in.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community