Ports Used for HA
Firewalls configured as High Availability (HA) peers must be able to communicate with each other to maintain state information (HA1 control link) and synchronize data (HA2 data link). In Active/Active HA deployments the peer firewalls must also forward packets to the HA peer that owns the session. The HA3 link is a Layer 2 (MAC-in-MAC) link and it does not support Layer 3 addressing or encryption.
Used for the HA1 control link for clear text communication between the HA peer firewalls. The HA1 link is a Layer 3 link and requires an IP address.
Used for the HA1 control link for encrypted communication (SSH over TCP) between the HA peer firewalls.
Listening port for HA1 backup links.
Used for heartbeat backups. Palo Alto Networks recommends enabling heartbeat backup on the MGT interface if you use an in-band port for the HA1 or the HA1 backup links.
Used for the HA2 link to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in an HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the active firewall (Active/Passive) or active-primary (Active/Active) to the passive firewall (Active/Passive) or active-secondary (Active/Active). The HA2 link is a Layer 2 link, and it uses ether type 0x7261 by default.
The HA data link can also be configured to use either IP (protocol number 99) or UDP (port 29281) as the transport, and thereby allow the HA data link to span subnets.
HA Links and Backup Links
HA Links and Backup Links The firewalls in an HA pair use HA links to synchronize data and maintain state information. Some models of the ...
HA Links The devices in an HA pair use HA links to synchronize data and maintain state information. on AWS, the VM-Series firewall uses the ...
Configure HA Settings
Configure HA Settings To configure HA settings, select Device High Availability and then, for each group of settings, specify the corresponding information described in the ...
Configuration Guidelines for Active/Passive HA
Configuration Guidelines for Active/Passive HA To set up an active (PeerA) passive (PeerB) pair in HA, you must configure some options identically on both firewalls ...
HA Ports on Palo Alto Networks Firewalls
Learn about HA ports available on Palo Alto Networks® firewalls. ...
Configure Active/Passive HA
Configure Active/Passive HA The following procedure shows how to configure a pair of firewalls in an active/passive deployment as depicted in the following example topology. ...
Prerequisites for Active/Passive HA
Prerequisites for Active/Passive HA To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the following ...
Configure Active/Active HA
Configure Active/Active HA The following procedure describes the basic workflow for configuring your firewalls in an active/active configuration. However, before you begin, Determine Your Active/Active ...
Prerequisites for Active/Active HA
Prerequisites for Active/Active HA To set up active/active HA on your firewalls, you need a pair of firewalls that meet the following requirements: The same ...