In addition to HA1 and HA2 links, an active/active
deployment also requires a dedicated HA3 link. The firewalls use
this link for forwarding packets to the peer during session setup
and asymmetric traffic flow. The HA3 link is a Layer 2 link that
uses MAC-in-MAC encapsulation. It does not support Layer 3 addressing
or encryption. PA-7000 Series firewalls synchronize sessions across
the NPCs one-for-one. On PA-800 Series, PA-3200 Series, PA-3400
Series, PA-5200 Series, and PA-5400 Series firewalls, you can configure
aggregate interfaces as an HA3 link. The aggregate interfaces can
also provide redundancy for the HA3 link; you cannot configure backup
links for the HA3 link. On PA-3200 Series, PA-3400 Series, PA-5200
Series, PA-5400 Series, and PA-7000 Series firewalls, the dedicated
HSCI ports support the HA3 link. The firewall adds a proprietary
packet header to packets traversing the HA3 link, so the MTU over
this link must be greater than the maximum packet length forwarded. |