What should we buy for active passive HA?

Showing results for 
Search instead for 
Did you mean: 

What should we buy for active passive HA?

L2 Linker



We are using pa-3050 running 7.1.x with 3 year premium partner support and 3 year threat prevention license for about 2 months. We want to setup active passive HA. So What do we need to buy? Will buying only pa-3050 hardware without any support or license be enough for active passive HA?






L6 Presenter



You must have 2xPA-3050 and same PAN-OS version. Regarding the licences, l don't know if you can buy PA without the licenses and support from distributor (only eBay probably) but bear in mind that if you will fail over to the second PA (that has no licences and support) your futures would not work (threat prevention, URL filtering etc).








We were using sophos utm before PAN-OS. With sophos only one license was requirred for active passive. Two license was requirred only if you do active/active ha. If PAN-OS requires seperate threat prevention license for the passive hardware then what is the purpose of it to run them in Active/Passive? I should run active/active if I have to pay new licenses for the passive box.





For active passive PA you need same licenses on both devices (if you want same functionality for both cluster members). Licenses for HA pair are a bit cheaper. Unofrtunately you already bought licenses for your current device at full price, but the licenses for second device will be slightly cheaper.


There is also alternative without 2 sets of licenses. It's called On-Site-Spare. In that case you have 2nd device in (cold) standby without licenses and when primary device stops working (and support can't solve the issue) you transfer licenses from original device to OSS and switch cables to OSS device.



L4 Transporter

Hi Rahman,


what about hardware failures, what about software bugs and do you can deny any need of software features ?

HA gives more reliability and minimize the downtime. You apply HA so i guess there ist need of steadiness. But it depends on your company necessities. 




You don't gain anything by running active-active. There is some extra overhead with session setup. And you shouldn't utilise it above 50% anyway because in that case a single device won't be able to process traffic in case when one fails. So you have no HA with that.



Hi Klaus,



I am not saying HA is unnecessary.  It is the opposite. We run our shophos setup with active/passive for 6 years until it aged out. I am just suprised to hear I need to buy every license for passive box too. It was different with Sophos. Sophos needs you to license only one of the boxes if you use them with active/passive. When I talked with the reseller about this he said it is the same with PAN-OS. We were short on budget so we get one box with  3 year threat prevention license and 3 year support. So we could buy only the second box later to run it passive mode.


It seems our reseller misinformed us (if not lied on purpose).





Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!