- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-16-2022 06:24 AM
Hi there,
we plan to replace an old firewall cluster against an new one from PA. It will be an active-passive cluster of 2 PA-850 boxes, we plan to use threat prevention + dns security license.
There is only one box active, the other one is on standby.
Is it enough to have the licenses only for the active system, or do we need a license for the passive system as well?
02-16-2022 09:13 AM - edited 02-16-2022 09:14 AM
Hello @Netzer ,
You need separate licenses for each firewall. The excerpt below is from this URL -> https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-up-activepassive-ha/....
—Licenses are unique to each firewall and cannot be shared between the firewalls. Therefore, you must license both firewalls identically. If both firewalls do not have an identical set of licenses, they cannot synchronize configuration information and maintain parity for a seamless failover.
However, you can order the HA license SKUs which will save you a little $.
Thanks,
Tom
02-16-2022 09:13 AM - edited 02-16-2022 09:14 AM
Hello @Netzer ,
You need separate licenses for each firewall. The excerpt below is from this URL -> https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-up-activepassive-ha/....
—Licenses are unique to each firewall and cannot be shared between the firewalls. Therefore, you must license both firewalls identically. If both firewalls do not have an identical set of licenses, they cannot synchronize configuration information and maintain parity for a seamless failover.
However, you can order the HA license SKUs which will save you a little $.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!