Palo Alto Networks Knowledgebase: Can you have High availability (HA) Between Two(2) Different Firewall Platforms?

Can you have High availability (HA) Between Two(2) Different Firewall Platforms?

7763
Created On 02/07/19 23:46 PM - Last Updated 02/07/19 23:46 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Question:

Can you have High availability (HA) Between Two(2) Different Firewall Platforms?

 

Answer:

Palo Alto Networks devices only support high-availability between 2 identical devices. If ha1 is connected between two different platforms, both nodes will go into a suspend state. The only way to recover from this situation is to disconnect the ha1 interface and reboot the device.

 

Prerequisites for HA setup:

To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the following requirements:

 

  • The same model—both the devices in the pair must be of the same hardware model or virtual machine model.
  • The same PAN-OS version—both the devices should be running the same PAN-OS version and must each be up-to-date on the application, URL, and threat databases. They must also both have the same multiple virtual systems capability (single or multi vsys).
  • The same type of interfaces—dedicated HA links, or a combination of the management port and in-band ports that are set to interface type HA. – Determine the IP address for the HA1 (control) connection between the device pair. The HA1 IP address for both peers must be on the same subnet if they are directly connected or are connected to the same switch. For devices without dedicated HA ports, you can use the management port for the control connection. Using the management port provides a direct communication link between the management planes on both devices. However, because the management ports will not be directly cabled between the devices, make sure that you have a route that connects these two interfaces across your network. – If you use Layer 3 as the transport method for the HA2 (data) connection, determine the IP address for the HA2 link. Use Layer 3 only if the HA2 connection must communicate over a routed network. The IP subnet for the HA2 links must not overlap with that of the HA1 links or with any other subnet assigned to the data ports on the firewall.
  • The same set of licenses—Licenses are unique to each device and cannot be shared between the devices. Therefore, you must license both devices identically. If both devices do not have an identical set of licenses, they cannot synchronize configuration information and maintain parity for a seamless failover.

The above text was taken from the PAN-OS Administrator's Guide 6.1 (English)  Page No 148

 

If you happen to connect 2 different models in the same HA Pair, you will see the following syslog message:

HA Group 1: Peer device platform model not matching; going to Suspended state.t

 

See Also

For more information on High Availability Resources, please see this doc:

High availability resources

 

owner: rvanderveken



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrsCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language