Please enable JavaScript.
Coggle requires JavaScript to display documents.
Set Up Active/Passive HA 443 - Coggle Diagram
Set Up Active/Passive HA
443
Prerequisites for Active/Passive HA
the same PAN-OS version
The same multi virtual system capability
The same model
The same type of interface
the same set of licences
Reset FW to factory default
Define HA Failover Conditions
Configuration Guidelines for Active/Passive HA
You must configure the same Group ID value on both firewalls
If you are using in-band ports as HA links, you must set the interfaces for the HA1 and HA2
links to type HA
Set the HA Mode to Active Passive on both firewalls
If required, enable preemption on both firewalls. The device priority value, however, must not
be identical
If required, configure encryption on the HA1 link (for communication between the HA peers)
on both firewalls
You must enable HA on both firewalls.
Based on the combination of HA1 and HA1 Backup ports you are using, use the following
recommendations to decide whether you should enable heartbeat backup
• HA1: Dedicated HA1 port
HA1 Backup: Dedicated HA1 port
Recommendation: Enable Heartbeat Backup
• HA1: Dedicated HA1 port
HA1 Backup: In-band port
Recommendation: Enable Heartbeat Backup
• HA1: Dedicated HA1 port
HA1 Backup: Management port
Recommendation: Do not enable Heartbeat Backup
• HA1: In-band port
HA1 Backup: In-band port
Recommendation: Enable Heartbeat Backup
• HA1: Management port
HA1 Backup: In-band port
Recommendation: Do not enable Heartbeat Backup
must configure independently on each firewall
Data Link
By default, the HA2 link uses
Ethernet/Layer 2
If using a Layer 3 connection,configure the IP address for the data link on this firewall
Device Priority
Control Link
Path Monitoring
Link Monitoring
Configure Active/Passive HA
Verify Failover