This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Setup HA now and update Licenses later?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Setup HA now and update Licenses later?

skiffsumner
L0 Member

‎09-07-2017 12:05 PM - edited ‎09-07-2017 12:07 PM

HI there,

Right now we have single PA-3020 as our HQ firewall.

We are planning on setting up HA on a pair of PA-3020. Right now we only have been approved for a budget of the secondary hardware. We have been approved to add matching software licenses in December. I was wondering if it is possible to setup an HA with primary firewall having full licenses and secondary not having any licenses? Then in a few months, we add licenses to secondary firewall. Obviously, we understand that if primary firewall fails we will not have URL filtering, Antivirus, Apps and threats protection on secondary. 

 

 

0 Likes Likes
2 REPLIES 2

Mick_Ball
L7 Applicator

‎09-07-2017 01:19 PM

I dont think you can do this as one of the pre requisites for ha is as follows..

 

The same set of licenses —Licenses are unique to each device and cannot be shared between the devices. Therefore, you must license both devices identically. If both devices do not have an identical set of licenses, they cannot synchronize configuration information and maintain parity for a seamless failover.

 

We have several ha pairs but cannot advise further as always had licences matching.

 

also... I think (at least for vpn gateway license) it is cheaper to purchase one to cover a ha pair than it is to buy one for each.

however this may just have been a bit of sales pitch... Perhaps someone else could advise further.

reaper
Cyber Elite
Cyber Elite
In response to Mick_Ball

‎09-08-2017 01:04 AM

@Mick_Ball is right, HA licence sets are cheaper than 2 sets of single device licences so It might be good to check in on your sales rep to get updated numbers for a HA set

 

technically you can build an HA with one fully licenced and one not-so-much licenced device but it will be a very ugly situation as the cluster depends on matching versions of everything and the secondary won't be able to comply, so you'll get lots of alarms and possibly some unexpected behavior, I would advise against it

in this situation you might be better off using the secondary hardware as a hot/cold standby replacement

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 2060 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks