HA Ports on Palo Alto Networks Firewalls
Learn about HA ports available on Palo Alto Networks® firewalls.
When connecting two Palo Alto Networks® firewalls in a high availability (HA) configuration, we recommend that you use the dedicated HA ports for HA Links and Backup Links. These dedicated ports include: the HA1 ports labeled HA1, HA1-A, and HA1-B used for HA control and synchronization traffic; and HA2 and the High Speed Chassis Interconnect (HSCI) ports used for HA session setup traffic. The PA-5200 Series firewalls have multipurpose auxiliary ports labeled AUX-1 and AUX-2 that you can configure for HA1 traffic.
You can also configure the HSCI port for HA3, which is used for packet forwarding to the peer firewall during session setup and asymmetric traffic flow (active/active HA only). The HSCI port can be used for HA2 traffic, HA3 traffic, or both.
The HA1, HA2, and AUX links provide synchronization for functions that reside on the management plane. Using the dedicated HA interfaces on the management plane is more efficient than using the in-band ports as this eliminates the need to pass the synchronization packets over the dataplane.
If your firewall does not have dedicated HA ports, you can configure data ports as HA interfaces. If your firewall does have dedicated HA ports but does not have a dedicated HA backup port, you can also configure data ports as backups to dedicated HA ports.
Whenever possible, connect HA ports directly between the two firewalls in an HA pair (not through a switch or router) to avoid HA link and communications problems that could occur if there is a network issue.
Use the following table to learn about dedicated HA ports and how to connect the HA Links and Backup Links:
Front-Panel Dedicated Port(s)
PA-800 Series, PA-3000 Series, and PA-5000 Series Firewalls
PA-3200 Series Firewalls
PA-5200 Series Firewalls
PA-5200 Series Firewalls (continued)
PA-7000 Series Firewalls
For HA2 or HA2/HA3 traffic, the PA-7000 Series firewalls synchronize sessions across the NPCs one-for-one.
Prerequisites for Active/Active HA
Prerequisites for Active/Active HA To set up active/active HA on your firewalls, you need a pair of firewalls that meet the following requirements: The same ...
Configure Active/Active HA
Configure Active/Active HA The following procedure describes the basic workflow for configuring your firewalls in an active/active configuration. However, before you begin, Determine Your Active/Active ...
HA Links and Backup Links
HA Links and Backup Links The firewalls in an HA pair use HA links to synchronize data and maintain state information. Some models of the ...
Configure Active/Passive HA
Configure Active/Passive HA The following procedure shows how to configure a pair of firewalls in an active/passive deployment as depicted in the following example topology. ...
Prerequisites for Active/Passive HA
Prerequisites for Active/Passive HA To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the following ...
Configure HA Settings
Configure HA Settings To configure HA settings, select Device High Availability and then, for each group of settings, specify the corresponding information described in the ...
Configuration Guidelines for Active/Passive HA
Configuration Guidelines for Active/Passive HA To set up an active (PeerA) passive (PeerB) pair in HA, you must configure some options identically on both firewalls ...
Ports Used for HA
Ports Used for HA Firewalls configured as High Availability (HA) peers must be able to communicate with each other to maintain state information (HA1 control ...
Objects > Services
Objects > Services When you define security policies for specific applications, you can select one or more services to limit the port numbers the applications ...