The devices in an HA pair use HA links to synchronize
data and maintain state information. On AWS, the CN-Series firewall
uses the following ports:
—The HA1 link is used to exchange hellos,
heartbeats, and HA state information, and management plane sync
for routing. This link is also used to synchronize configuration
changes on either the active or passive device with its peer.
Management port is used for HA1. TCP port 28769 and 28260 for cleartext
communication; port 28 for encrypted communication (SSH over TCP).
—The HA2 link is used to synchronize sessions, forwarding
tables, IPSec security associations and ARP tables between devices in
an HA pair. Data flow on the HA2 link is always unidirectional (except
for the HA2 keep-alive); it flows from the active device to the
Ethernet1/1 must be assigned as the HA2 link;
this is required to deploy the CN-Series firewall on AWS in HA.
The HA data link can be configured to use either IP (protocol number
99) or UDP (port 29281) as the transport.
The CN-Series firewall on AWS does not support backup links for
HA1 or HA2.