HA Ports on Palo Alto Networks Firewalls
When connecting two Palo Alto Networks® firewalls in a high availability (HA) configuration, we recommend that you use the dedicated HA ports for HA Links and Backup Links. These dedicated ports include: the HA1 ports labeled HA1, HA1-A, and HA1-B used for HA control and synchronization traffic; and HA2 and the High Speed Chassis Interconnect (HSCI) ports used for HA session setup traffic. The PA-5200 Series firewalls have multipurpose auxiliary ports labeled AUX-1 and AUX-2 that you can configure for HA1 traffic.
You can also configure the HSCI port for HA3, which is used for packet forwarding to the peer firewall during session setup and asymmetric traffic flow (active/active HA only). The HSCI port can be used for HA2 traffic, HA3 traffic, or both.
The HA1 and AUX links provide synchronization for functions that reside on the management plane. Using the dedicated HA interfaces on the management plane is more efficient than using the in-band ports as this eliminates the need to pass the synchronization packets over the dataplane.
If your firewall does not have dedicated HA ports, you can configure data ports as HA interfaces. If your firewall does have dedicated HA ports but does not have a dedicated HA backup port, you can also configure data ports as backups to dedicated HA ports.
Whenever possible, connect HA ports directly between the two firewalls in an HA pair (not through a switch or router) to avoid HA link and communications problems that could occur if there is a network issue.
Use the following table to learn about dedicated HA ports and how to connect the HA Links and Backup Links:
Front-Panel Dedicated Port(s)
PA-800 Series, PA-3000 Series, and PA-5000 Series Firewalls
PA-5200 Series Firewalls
PA-5200 Series Firewalls (continued)
PA-7000 Series Firewalls
Recommended For You
Recommended videos not found.