Hello @Jorge_Lopez
thanks for posting.
I have not done this exact scenario before. All HA Firewalls I managed were right from the initial setup managed by Panorama. If I were about to do the same what your customer is planning to do, I would follow below steps.
1.)
Install additional PA-820 and perform initial configuration (management interface) and download/install the same PAN-OS + Application/Threat version what other PA-820 is using.
2.)
In Panorama, register additional PA-820 in the same Device Group / Template Stack as existing Firewall, then push the configuration to new PA-820. If there is no issue, then I would proceed with HA configuration. If HA function is going to be managed through Panorama, then follow this KB: How to use one Template stack for a high availability Firewall Pair on Panorama to set up Template for HA feature. Make sure that device priority is set correctly to make existing Firewall is primary active: Understanding Preemption with the Configured Device Priority in HA Active/Passive Mode. If there is no error with pushing HA related configuration, then I would proceed with next step.
3.)
I would connect HA ports, then make sure that both Firewalls assume respective active role for existing Firewall and passive for new Firewall. If there is no issue with HA synchronization / incompatibility, then I would connect all data plane cables to new Firewall, then perform a failover to make sure there is no issue with traffic flow and interfaces, then fail back.
To avoid risk, I would perform steps No. 2 and 3 during the same maintenance window and tested it with failover before closing maintenance window.
Kind Regards
Pavel
... View more