You'll need a pair of Palo Alto Networks firewalls that match the following requirements to set up high availability:

• Both firewalls in the pair must be of the same model, whether in terms of hardware or virtualization.
• Both firewalls should be running the same version of PAN-OS, and the application, URL, and threat databases should all be updated.
• On both firewalls, the same multi virtual system capability must be ACTIVATED or disabled. When a firewall is enabled, it necessitates the purchase of an additional virtual system licence.
• Dedicated HA links or a mix of the MANAGEMENT PORT and in-band ports configured as HA interfaces—the same interfaces.
• Determine the IP address for the HA1 (control) connection between the HA peers. Both peers' HA1 IP addresses must be on the same subnet if they are directly connected or connected to the same switch. The control connection can be made using the management port on firewalls without SPECIFIC HA ports. Using the management port creates a direct link between both firewalls' management planes. Because the management ports will not be directly connected between the peers, make sure you have a ROUTE that connects the two interfaces across your network.
  If you're utilising Layer 3 as the transport mechanism, find the IP address for the HA2 (data) connection. Choose Layer 3 if the HA2 link must communicate over a routed network. The HA2 connections' IP subnet must not be the same as the HA1 links' IP subnet or any other subnet assigned to the firewall's data ports.
• The same set of licences— Each firewall's licences are unique and cannot be shared. As a result, both firewalls must be licensed in the same way. If neither firewall has the same set of licences, they will be unable to synchronise configuration information and preserve parity for a seamless failover.