HA Links


HA Links

Table of Contents

HA Links

Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
  • CN-Series 10.2.x or above Container Images
  • Panorama
    running PAN-OS 10.2.x or above version
  • Helm 3.6 or above version client
    for CN-Series deployment with Helm
The devices in an HA pair use HA links to synchronize data and maintain state information. On AWS, the CN-Series firewall uses the following ports:
  • Control Link
    —The HA1 link is used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing. This link is also used to synchronize configuration changes on either the active or passive device with its peer.
    The Management port is used for HA1. TCP port 28769 and 28260 for cleartext communication; port 28 for encrypted communication (SSH over TCP).
  • Data Link
    —The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between devices in an HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the active device to the passive device.
    Ethernet1/1 must be assigned as the HA2 link; this is required to deploy the CN-Series firewall on AWS in HA. The HA data link can be configured to use either IP (protocol number 99) or UDP (port 29281) as the transport.
The CN-Series firewall on AWS does not support backup links for HA1 or HA2.

Recommended For You