How to configure template Variables for High Availability Active/Passive

• Before PAN-OS 8.1.x, the IP addresses for firewalls using the Active/Passive (A/P) high availability (HA) configuration could not be configured and managed using Panorama because both the firewalls were under the same template, and there was no way to assign unique HA IP addresses to each firewall. 
• Template variables were introduced in PAN-OS 8.1, allowing us to assign unique values to each variable for each firewall. This allows us to manage the HA IP addresses using Panorama because we can use template variables to assign the HA IP addresses for firewalls under the same template.

• Panorama-managed Next-Generation Firewalls with Active/Passive high availability configuration
• Panorama
• PAN-OS 8.1+

Below are the step-by-step configurations to set up template variables for the HA1 IP addresses. These steps can also be applied to the other HA IP addresses (HA1 backup, HA2, etc) as needed.

1) Navigate to the 'Panorama -> Templates' menu and click the 'Manage...' button in the 'Variables' column for the template where you want to create the variables. Create two variables: one local HA1 IP Address and one Peer HA1 IP Address. Assign the appropriate IP addresses for one of the firewalls in the HA pair. Below is an example:

2) Navigate to the 'Device -> High Availability -> General' menu and select the template in the dropdown box where you previously created the template variables. In our example, our template name is Variables-Template.


3) Under the 'Setup' section, assign the Peer HA1 IP Address variable. In our example, it is the $HA1-peer variable:

4) Navigate to the 'HA Communications' tab and in the 'HA1' section, assign the local HA1 IP Address variable to IPv4/IPv6 Address. In our example, it is the $HA1-local variable. 

5) Navigate to the 'Panorama -> Managed Devices -> Summary' menu. To change the template variables' values to the appropriate ones for the other firewall in the HA pair, we must Override the template variables for that device.

6) For the HA firewall whose local and peer HA1 IP addresses were not assigned to the variables in Step 1, click on 'Create' under the 'Variables' column:

7) Select No in the Create Device Variable Definition pop-up, then click OK. 

8) Working one variable at a time, click the checkbox to the left of the variable, click Override, and then assign the appropriate local and peer HA1 IP addresses for that firewall.

9) Commit the changes to Panorama and then Push to the devices.

10) Log in to the respective firewalls and verify the HA1 IP addresses are correct on each firewall.

For further details on templates and template variables, please click HERE for the Palo Alto Networks technical documentation.

For video instruction on how to accomplish this, please see the following youtube instructional video:
Creating and Using Template Variables