The firewalls in an HA pair use HA links to synchronize
data and maintain state information. Some models of the firewall
have dedicated HA ports—Control link (HA1) and Data link (HA2),
while others require you to use the in-band ports as HA links.
For firewalls without dedicated HA ports such as the PA-220
and PA-220R firewalls, as a best practice use the management port
for the HA1 port, and use the dataplane port for the HA1 backup.
For firewalls without dedicated HA ports, decide
which ports to use for HA1 and HA1 backup based on your environment and
understanding which are the least used and least congested. Assign
HA1 to the best interface and HA1 backup to the other one.
HA peers in an HA cluster can be a combination of standalone
members and HA pairs. HA cluster members use an HA4 link and HA4 backup
link to perform session state syncronization. HA1 (control link),
HA2 (data link), and HA3 (packet-forwarding link) are not supported
between cluster members that aren’t HA pairs.
HA Links and Backup
The HA1 link is used to exchange hellos,
heartbeats, and HA state information, and management plane sync
for routing, and User-ID information. The firewalls also use this
link to synchronize configuration changes with its peer. The HA1
link is a Layer 3 link and requires an IP address.
used to exchange heartbeats between HA peers.
Ports used for
HA1—TCP port 28769 and 28260 for clear text communication; port
28 for encrypted communication (SSH over TCP).
The HA2 link is used to synchronize sessions,
forwarding tables, IPSec security associations and ARP tables between
firewalls in an HA pair. Data flow on the HA2 link is always unidirectional
(except for the HA2 keep-alive); it flows from the active or active-primary
firewall to the passive or active-secondary firewall. The HA2 link
is a Layer 2 link, and it uses ether type 0x7261 by default.
used for HA2—The HA data link can be configured to use either IP (protocol
number 99) or UDP (port 29281) as the transport, and thereby allow
the HA data link to span subnets.
HA1 and HA2 Backup Links
Provide redundancy for the HA1 and the HA2
links. In-band ports can be used for backup links for both HA1 and
HA2 connections when dedicated backup links are not available. Consider
the following guidelines when configuring backup HA links:
IP addresses of the primary and backup HA links must not overlap each
HA backup links must be on a different subnet from the primary
HA1-backup and HA2-backup ports must be configured on separate physical
ports. The HA1-backup link uses port 28770 and 28260.
PA-3200 Series firewalls don’t support an IPv6 address for
the HA1-backup link; use an IPv4 address.
Palo Alto Networks recommends enabling
heartbeat backup (uses port 28771 on the MGT interface) if you use
an in-band port for the HA1 or the HA1 backup links.
In addition to HA1 and HA2 links, an active/active
deployment also requires a dedicated HA3 link. The firewalls use
this link for forwarding packets to the peer during session setup
and asymmetric traffic flow. The HA3 link is a Layer 2 link that
uses MAC-in-MAC encapsulation. It does not support Layer 3 addressing
or encryption. PA-7000 Series firewalls synchronize sessions across
the NPCs one-for-one. On PA-800 Series, PA-3200 Series, and PA-5200
Series firewalls, you can configure aggregate interfaces as an HA3
link. The aggregate interfaces can also provide redundancy for the
HA3 link; you cannot configure backup links for the HA3 link. On
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls, the
dedicated HSCI ports support the HA3 link. The firewall adds a proprietary
packet header to packets traversing the HA3 link, so the MTU over
this link must be greater than the maximum packet length forwarded.
HA4 Link and HA4 Backup Link
The HA4 link and HA4 backup link perform
session cache synchronization among all HA cluster members having
the same cluster ID. The HA4 link between cluster members detects
connectivity failures between cluster members by sending and receiving
Layer 2 keepalive messages. View the status of the HA4 and HA4 backup
links on the firewall dashboard.