Prisma SD-WAN ION Virtual Appliance v7108

High Availability > Operational Commands and Suspend local Panorama for high availability. 2. Copy the serial numbers from the previously exported CSV file and add them to the newly deployed Panorama. Adding serial numbers does not generate the authentication key or trigger a commit. SD-WAN Activation & Onboarding 57 ©2025 Palo Alto Networks, Inc.Replace the SD-WAN enabled Panorama HA Peer 3. Wait for all firewalls to reflect their connection status (connected/disconnected) as seen in the active Panorama. 4. Once statuses match, make the new Panorama functional by selecting Make local Panorama functional for high availability from Panorama > High Availability > Operational Commands. SD-WAN Activation & Onboarding 58 ©2025 Palo Alto Networks, Inc.Replace the SD-WAN enabled Panorama HA Peer STEP 6 | Synchronize Databases. 1. Run the following synchronization command on the active Panorama HA peer: debug plugins sd_wan mongo-db sync-db-to-peer If the result shows sync-in-progress, restart the configd process using: debug software restart process configd 2. Reconnect the active Panorama and rerun the synchronization command. If successful, the active and passive Panorama Mongo databases will be synchronized. SD-WAN Activation & Onboarding 59 ©2025 Palo Alto Networks, Inc.Replace the SD-WAN enabled Panorama HA Peer STEP 7 | Synchronize and Verify. 1. Synchronize the running configuration from active Panorama to passive Panorama to apply all settings. 2. Verify both active and passive Panorama details in the HA dashboard. 3. Check the Mongo database status by running: debug plugins sd_wan mongo-db sync-status 4. Perform a force commit on the passive Panorama to finalize the setup. SD-WAN Activation & Onboarding 60 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA Where Can I Use This? What Do I Need? • NGFW (managed by PAN-OS or Panorama) Advanced SD-WAN for NGFW We help you convert a standalone Panorama management server to HA peers. This enables you to convert Panorama servers as active and passive HA peers to form a HA cluster. To convert a standalone Panorama to HA Panorama, you must have downloaded one of the following SD- WAN plugin versions: • SD-WAN plugin 2.2.7 • SD-WAN plugin 3.0.8 • SD-WAN plugin 3.2.2 • SD-WAN plugin 3.3.2 • SD-WAN plugin 2.2.7-h5 or later versions • SD-WAN plugin 3.2.3-h2 or later versions • SD-WAN plugin 3.3.3 or later versions Before conversion ensure that all the device template and device group of the SD-WAN devices are in synchronization with the current Panorama. If a failure occurs on the primary peer after the standalone Panorama has been converted to HA cluster, it automatically fails over and the secondary peer will become active. Follow this workflow to convert an SD-WAN-enabled Panorama management server to a Panorama HA peer. • SD-WAN Plugin 2.2.7, 3.0.8, 3.2.2, and 3.3.2 Versions • SD-WAN Plugin 2.2.7-h5 or Later, 3.2.3-h2 or Later, and 3.3.3 or Later Versions 61Convert SD-WAN enabled Standalone Panorama to Panorama HA SD-WAN Plugin 2.2.7, 3.0.8, 3.2.2, and 3.3.2 Versions STEP 1 | In Panorama, go to Managed Devices > Summary and Export the CSV file from the standalone Panorama management server. STEP 2 | Configure the new Panorama management server. 1. Install the same OS version as the primary active firewall. 2. Configure the management IP address. 3. Install all the required plugins, application version, and antivirus version same as the primary active firewall. 4. Execute the commit force CLI command to commit the changes forcefully. SD-WAN Activation & Onboarding 62 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 3 | Configure the IP address for the newly deployed Panorama as the secondary IP address of Panorama in the Panorama settings (under device template of the devices managed by standalone Panorama), commit and push the changes to all the devices. SD-WAN Activation & Onboarding 63 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 4 | Configure high availability (HA). 1. On the standalone Panorama management server: 1. Navigate to Panorama > High Availability > Setup and configure the IP address and serial number of the newly deployed Panorama. 2. Navigate to Panorama > High Availability > Election Settings, disable Preemptive, set priority to primary and commit the changes. 2. On the newly deployed Panorama management server. 1. Navigate to Panorama > High Availability > Setup and configure the IP address and serial number of the standalone Panorama, which is already managing the network. 2. Navigate to Panorama > High Availability > Election Settings, disable Preemptive, set priority to secondary and commit the changes. 3. Once HA is committed, the new Panorama joins the HA cluster. Initially, the running configuration won’t be synchronized, and differences will appear in the HA dashboard. 4. Address the configuration differences by ensuring the correct versions of applications, antivirus, SD-WAN plugins, and any other required plugins are installed. SD-WAN Activation & Onboarding 64 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 5 | Resolve initial synchronization issues. 1. Synchronization from active to passive Panorama will fail initially, showing an error message. Despite the failure, the authentication key (auth-key), templates, and device groups will be synchronized. 2. Verify the synchronization by refreshing the passive Panorama web interface. The templates and Device Groups tabs should now be visible. 3. Delete any duplicate entries under "No device group assigned." SD-WAN Activation & Onboarding 65 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 6 | Configure Serial Numbers and Finalize Panorama Setup. 1. Suspend the new Panorama management server using Panorama > High Availability > Operational Commands and Suspend local Panorama for high availability. 2. Copy the serial numbers from the previously exported CSV file and add them to the newly deployed Panorama. Adding serial numbers does not generate the authentication key or trigger a commit. SD-WAN Activation & Onboarding 66 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA 3. Wait for all firewalls to reflect their connection status (connected or disconnected) as seen in the active Panorama. 4. Once statuses match, make the new Panorama functional by selecting Make local Panorama functional for high availability from Panorama > High Availability > Operational Commands, and delete all the duplicate entries present under No device group assigned. SD-WAN Activation & Onboarding 67 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 7 | Synchronize databases. 1. Run the following synchronization command on the active Panorama HA peer: debug plugins sd_wan mongo-db sync-db-to-peer If the result shows sync-in-progress, restart the configd process using: debug software restart process configd 2. Reconnect the active Panorama and run the synchronization command again. If successful, the active and passive Panorama MongoDB will be synchronized. SD-WAN Activation & Onboarding 68 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 8 | Synchronize and Verify. 1. Synchronize the running configuration from active Panorama to passive Panorama to apply all settings. 2. Verify both active and passive Panorama details in the HA dashboard. 3. Check the MongoDB status by running: debug plugins sd_wan mongo-db sync-status 4. Perform a force commit on the passive Panorama to finalize the setup. SD-WAN Activation & Onboarding 69 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA SD-WAN Plugin 2.2.7-h5 or Later, 3.2.3-h2 or Later, and 3.3.3 or Later Versions STEP 1 | Configure the new Panorama management server. 1. Install the same OS version as the primary active firewall. 2. Configure the management IP address. 3. Install all the required plugins, application version, and antivirus version same as the primary active firewall. 4. Execute the commit force CLI command to commit the changes forcefully. STEP 2 | Configure high availability (HA). 1. On the standalone Panorama management server: 1. Navigate to Panorama > High Availability > Setup and configure the IP address and serial number of the newly deployed Panorama. 2. Navigate to Panorama > High Availability > Election Settings, enable Preemptive, set priority to primary and commit the changes. 2. On the newly deployed Panorama management server. 1. Navigate to Panorama > High Availability > Setup and configure the IP address and serial number of the standalone Panorama, which is already managing the network. 2. Navigate to Panorama > High Availability > Election Settings, disable Preemptive, set priority to secondary and commit the changes. 3. Once HA is committed, the new Panorama joins the HA cluster. Initially, the running configuration won’t be synchronized, and differences will appear in the HA dashboard. 4. Address the configuration differences by ensuring the correct versions of applications, antivirus, SD-WAN plugins, and any other required plugins are installed. SD-WAN Activation & Onboarding 70 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 3 | Configure the IP address for the newly deployed Panorama as the secondary IP address of Panorama in the Panorama settings (under device template of the devices managed by standalone Panorama) and commit the changes. SD-WAN Activation & Onboarding 71 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 4 | Synchronize databases. 1. Run the following synchronization command on the active Panorama HA peer: debug plugins sd_wan mongo-db sync-db-to-peer If the result shows sync-in-progress, restart the configd process using: debug software restart process configd 2. Reconnect the active Panorama and run the synchronization command again. If successful, the active and passive Panorama MongoDB will be synchronized. SD-WAN Activation & Onboarding 72 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 5 | Synchronize and Verify. 1. Synchronize the running configuration from active Panorama to passive Panorama to apply all settings. 2. Verify both active and passive Panorama details in the HA dashboard. 3. Check the MongoDB status by running: debug plugins sd_wan mongo-db sync-status 4. Perform a force commit on the passive Panorama to finalize the setup. SD-WAN Activation & Onboarding 73 ©2025 Palo Alto Networks, Inc.Convert SD-WAN enabled Standalone Panorama to Panorama HA STEP 6 | Commit and push the changes from active Panorama to all the firewalls to configure the secondary Panorama IP address. SD-WAN Activation & Onboarding 74 ©2025 Palo Alto Networks, Inc.">