High Availability (HA) Between Two Firewall Platforms

High Availability (HA) Between Two Firewall Platforms

Created On 09/26/18 13:50 PM - Last Updated 07/13/20 20:21 PM



Can you have High availability (HA) Between Two(2) Different Firewall Platforms?



Palo Alto Networks devices only support high-availability between 2 identical devices. If ha1 is connected between two different platforms, both nodes will go into a suspend state. The only way to recover from this situation is to disconnect the ha1 interface and reboot the device.


Prerequisites for HA setup:

To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the following requirements:


  • The same model—both the devices in the pair must be of the same hardware model or virtual machine model.
  • The same PAN-OS version—both the devices should be running the same PAN-OS version and must each be up-to-date on the application, URL, and threat databases. They must also both have the same multiple virtual systems capability (single or multi vsys).
  • The same type of interfaces—dedicated HA links, or a combination of the management port and in-band ports that are set to interface type HA. – Determine the IP address for the HA1 (control) connection between the device pair. The HA1 IP address for both peers must be on the same subnet if they are directly connected or are connected to the same switch. For devices without dedicated HA ports, you can use the management port for the control connection. Using the management port provides a direct communication link between the management planes on both devices. However, because the management ports will not be directly cabled between the devices, make sure that you have a route that connects these two interfaces across your network. – If you use Layer 3 as the transport method for the HA2 (data) connection, determine the IP address for the HA2 link. Use Layer 3 only if the HA2 connection must communicate over a routed network. The IP subnet for the HA2 links must not overlap with that of the HA1 links or with any other subnet assigned to the data ports on the firewall.
  • The same set of licenses—Licenses are unique to each device and cannot be shared between the devices. Therefore, you must license both devices identically. If both devices do not have an identical set of licenses, they cannot synchronize configuration information and maintain parity for a seamless failover.

If you happen to connect 2 different models in the same HA Pair, you will see the following syslog message:

HA Group 1: Peer device platform model not matching; going to Suspended state.t


See Also

For more information on High Availability Resources, please see this doc: High availability resources
For additional information, please review the PAN-OS Administrator's Guide in TechDocs.


owner: rvanderveken

  • Print
  • Copy Link


Choose Language