This document describes how to configure High Availability (HA) on a pair of identical Palo Alto Networks firewalls.
Note: This document does not address configuring HA for PA-200 devices.
Configure First Device
The HA links should look similar to the following screenshot.
Notes: Transport Methods
The device with the lowest Device Priority is the active device.
At this point, any Layer3 interface gets a new (shared) MAC address, and multiple gratuitous ARPs are sent out to each layer3 interface informing the attached switches of the new IP/MAC combination.
The firewall’s status should show active and the other values should be unknown, as shown below:
Configure the Peer Device.
Note: If encryption is enabled on the First device, enable it here as well.
For this configuration, Preemptive is off.
> show jobs all
The first two attempts failed. Determine and fix the cause of the failure.
> show jobs id <id number of the HA-Sync job>
The first sync failure is ID 13.
There is a security rule on the passive device named “Samir” that’s causing the HA-Sync process to fail. The rule is a shared rule from a previous Panorama configuration.
Delete the rule and run the Sync to peer again from the Active Device’s Dashboard tab. The job finished successfully this time:
High Availability is configured.