HA Ports on the PA-7000 Series Firewall

HA connectivity on the PA-7000 Series mandates the use of specific ports on the Switch Management Card (SMC) for certain functions; for other functions, you can use the ports on the Network Processing Card (NPC). PA-7000 Series firewalls synchronize sessions across the NPCs one-for-one.
The following table describes the SMC ports that are designed for HA connectivity:
HA Links and Backup Links
Ports on the SMC
Description
Control Link
HA1-A
Speed: Ethernet 10/100/1000
Used for HA control and synchronization in both HA Modes. Connect this port directly from the HA1-A port on the first firewall to the HA1-A port on the second firewall in the pair, or connect them through a switch or router.
HA1 cannot be configured on NPC data ports or the MGT port.
Control Link Backup
HA1-B
Speed: Ethernet 10/100/1000 port
Used for HA control and synchronization as a backup for HA1-A in both HA Modes. Connect this port directly from the HA1-B port on the first firewall to the HA1-B port on the second firewall in the pair, or connect them through a switch or router.
HA1 Backup cannot be configured on NPC data ports or the MGT port.
Data Link
Data Link Backup
HSCI-A
HSCI-B
The High Speed Chassis Interconnect (HSCI) ports are Layer 1 Quad Port SFP+ (QSFP+) interfaces used to connect two PA-7000 Series firewalls in an HA configuration. Each port is comprised of four 10 gigabit channels multiplexed for a combined speed of 40 gigabits.
The traffic carried on the HSCI ports is raw layer-1, which is not routable or switchable; therefore the HSCI ports must be connected directly to each other. The HSCI-A on the first chassis connects directly to HSCI-A on the second chassis and HSCI-B on the first chassis connects to HSCI-B on the second chassis. This provides full 80 gigabit transfer rates. In software, both ports (HSCI-A and HSCI-B) are treated as one HA interface.
Palo Alto Networks recommends using the dedicated HSCI ports for the HA2 link. The HA3 link, required for packet forwarding in an active/active deployment, must use the HSCI port; the HA3 traffic cannot be configured on data ports.
If the firewalls are deployed in:
  • an active/active configuration, the HA3 link must use the HSCI ports. The HA2 link and HA2 backup links can use the HSCI ports or data ports on the NPC.
  • an active/passive configuration, you can configure a data port on the NPC for the HA2 link or the HA2 backup link, if needed.

Recommended For You