Learn about HA ports available on Palo Alto Networks®
firewalls.
When connecting two Palo Alto Networks® firewalls in
a high availability (HA) configuration, we recommend that you use
the dedicated HA ports for HA
Links and Backup Links. These dedicated ports include: the
HA1 ports labeled HA1, HA1-A, and HA1-B used for HA control and
synchronization traffic; and HA2 and the High Speed Chassis Interconnect
(HSCI) ports used for HA session setup traffic. The PA-5200 Series
firewalls have multipurpose auxiliary ports labeled AUX-1 and AUX-2
that you can configure for HA1 traffic.
You can also configure the HSCI port for HA3, which is used for
packet forwarding to the peer firewall during session setup and
asymmetric traffic flow (active/active HA only). The HSCI port can
be used for HA2 traffic, HA3 traffic, or both.
The HA1 and AUX links provide synchronization
for functions that reside on the management plane. Using the dedicated
HA interfaces on the management plane is more efficient than using
the in-band ports as this eliminates the need to pass the synchronization
packets over the dataplane.
If your firewall does not have dedicated HA ports, you can configure
data ports as HA interfaces. If your firewall does have dedicated
HA ports but does not have a dedicated HA backup port, you can also
configure data ports as backups to dedicated HA ports.
Whenever possible, connect HA ports directly
between the two firewalls in an HA pair (not through a switch or
router) to avoid HA link and communications problems that could
occur if there is a network issue.
Use the following table to learn about dedicated HA ports and
how to connect the HA
Links and Backup Links:
Model
Front-Panel Dedicated Port(s)
PA-800 Series Firewalls
HA1 and HA2—Ethernet 10Mbps/100Mbps/1000Mbps
ports used for HA1 and HA2 in both HA
Modes.
For HA1 traffic—Connect the HA1
port on the first firewall directly to the HA1 port on the second firewall
in the pair or connect these ports together through a switch or
router.
For HA2 traffic—Connect the HA2 port on the first
firewall directly to the HA2 port on the second firewall in the
pair or connect these ports together through a switch or router.
PA-3200 Series Firewalls
HA1-A and HA1-B—Ethernet 10Mbps/100Mbps/1000Mbps
ports used for HA1 traffic in both HA
Modes.
For HA1 traffic—Connect the HA1-A
port on the first firewall directly to the HA1-A port on the second
firewall in the pair or connect them together through a switch or
router.
For a backup to the HA1-A connection—Connect the HA1-B
port on the first firewall directly to the HA1-B port on the second
firewall in the pair or connect them together through a switch or
router.
If the firewall dataplane restarts due to a failure
or manual restart, the HA1-B link will also restart. If this occurs
and the HA1-A link is not connected and configured, then a split
brain condition occurs. Therefore, we recommend that you connect
and configure the HA1-A ports and the HA1-B ports to provide redundancy
and to avoid split brain issues.
You can remap
the firewall’s SFP ports as HA1-A and HA1-B ports via PAN-OS or
Panorama.
HSCI—The
HSCI port is a Layer 1 SFP+ interface that connects two PA-3200
Series firewalls in an HA configuration. Use this port for an HA2
connection, HA3 connection, or both.
The traffic carried on
the HSCI ports is raw Layer 1 traffic, which is not routable or
switchable. Therefore, you must connect the HSCI ports directly
to each other (from the HSCI port on the first firewall to the HSCI
port on the second firewall).
PA-5200 Series Firewalls
HA1-A and HA1-B—Ethernet 10Mbps/100Mbps/1000Mbps
ports used for HA1 traffic in both HA
Modes.
For HA1 traffic—Connect the HA1-A
port on the first firewall directly to the HA1-A port on the second
firewall in the pair or connect them together through a switch or
router.
For a backup to the HA1-A connection—Connect the HA1-B
port on the first firewall directly to the HA1-B port on the second
firewall in the pair or connect them together through a switch or
router.
HSCI—The HSCI port
is a Layer 1 interface that connects two PA-5200 Series firewalls
in an HA configuration. Use this port for an HA2 connection, HA3
connection, or both.
The HSCI port on the PA-5220 firewall
is a QSFP+ port and the HSCI port on the PA-5250, PA-5260, and PA-5280
firewalls is a QSFP28 port.
The traffic carried on
the HSCI port is raw Layer 1 traffic, which is not routable or switchable.
Therefore, you must connect the HSCI ports directly to each other
(from the HSCI port on the first firewall to the HSCI port on the
second firewall).
For HA1 traffic—Connect the AUX-1 port on the first
firewall directly to the AUX-1 port on the second firewall in the
pair or connect them together through a switch or router.
For a backup to the AUX-1 connection—Connect the AUX-2
port on the first firewall directly to the AUX-2 port on the second
firewall in the pair or connect them together through a switch or
router.
PA-7000 Series Firewalls
HA1-A and HA1-B—Ethernet 10Mbps/100Mbps/1000Mbps
ports used for HA1 traffic in both HA
Modes.
For HA1 traffic—Connect the HA1-A
port on the first firewall directly to the HA1-A port on the second
firewall in the pair or connect them together through a switch or
router.
For a backup to the HA1-A connection—Connect the HA1-B
port on the first firewall directly to the HA1-B port on the second
firewall in the pair or connect them together through a switch or
router.
You cannot configure an HA1 connection on the
NPC data ports or the management (MGT) port.
HSCI-A and HSCI-B—The HSCI ports are Layer 1 QSFP+
interfaces that connect two PA-7000 Series firewalls in an HA configuration.
Use these ports for an HA2 connection, HA3 connection, or both.
The
traffic carried on the HSCI ports is raw Layer 1 traffic, which
is not routable or switchable. Therefore, you must connect these
ports as follows:
For HA2 and HA3 traffic—Connect
the HSCI-A port on the first firewall directly to the HSCI-A port
on the second firewall.
For HA2 or HA2/HA3 traffic,
the PA-7000 Series firewalls synchronize sessions across the NPCs one-for-one.
For a backup to the HSCI-A connection—Connect the
HSCI-B port on the first firewall directly to the HSCI-B port on
the second firewall.
HA2 and HA2-Backup
links can be configured to use a dataplane interface instead of
the HSCI ports. However, if configured this way, both the HA2 and
HA2-Backup links need to use dataplane interfaces. A mix of a dataplane
port and an HSCI port for either HA2 or HA2-Backup will result in
a commit failure. This applies to the PA-7050-SMC, PA-7080-SMC,
PA-7050-SMC-B, and PA-7080-SMC-B.
