HA Links and Backup Links
The firewalls in an HA pair use HA links to synchronize data and maintain state information. Some models of the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others require you to use the in-band ports as HA links.
- For firewalls with dedicated HA ports, use these ports to manage communication and synchronization between the firewalls. For details, see HA Ports on Palo Alto Networks Firewalls.
- For firewalls without dedicated HA ports such as the PA-220 and PA-220R firewalls, as a best practice use the dataplane port for the HA port, and use the management port as the HA1 backup.
HA Links and Backup Links
The HA1 link is used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing, and User-ID information. The firewalls also use this link to synchronize configuration changes with its peer. The HA1 link is a Layer 3 link and requires an IP address.
ICMP is used to exchange heartbeats between HA peers.
Ports used for HA1—TCP port 28769 and 28260 for clear text communication; port 28 for encrypted communication (SSH over TCP).
If you enable encryption on the HA1 link, you can also Refresh HA1 SSH Keys and Configure Key Options.
The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in an HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the active or active-primary firewall to the passive or active-secondary firewall. The HA2 link is a Layer 2 link, and it uses ether type 0x7261 by default.
Ports used for HA2—The HA data link can be configured to use either IP (protocol number 99) or UDP (port 29281) as the transport, and thereby allow the HA data link to span subnets.
Provide redundancy for the HA1 and the HA2 links. In-band ports can be used for backup links for both HA1 and HA2 connections when dedicated backup links are not available. Consider the following guidelines when configuring backup HA links:
Palo Alto Networks recommends enabling heartbeat backup (uses port 28771 on the MGT interface) if you use an in-band port for the HA1 or the HA1 backup links.
In addition to HA1 and HA2 links, an active/active deployment also requires a dedicated HA3 link. The firewalls use this link for forwarding packets to the peer during session setup and asymmetric traffic flow. The HA3 link is a Layer 2 link that uses MAC-in-MAC encapsulation. It does not support Layer 3 addressing or encryption. PA-7000 Series firewalls synchronize sessions across the NPCs one-for-one. On PA-800 Series, PA-3000 Series, PA-3200 Series, and PA-5200 Series firewalls, you can configure aggregate interfaces as an HA3 link. The aggregate interfaces can also provide redundancy for the HA3 link; you cannot configure backup links for the HA3 link. On PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls, the dedicated HSCI ports support the HA3 link. The firewall adds a proprietary packet header to packets traversing the HA3 link, so the MTU over this link must be greater than the maximum packet length forwarded.
Configure HA Settings
Configure HA Settings To configure HA settings, select Device High Availability and then, for each group of settings, specify the corresponding information described in the ...
HA Ports on Palo Alto Networks Firewalls
Learn about HA ports available on Palo Alto Networks® firewalls. ...
Ports Used for HA
Ports Used for HA Firewalls configured as High Availability (HA) peers must be able to communicate with each other to maintain state information (HA1 control ...
Configure Active/Active HA
Configure Active/Active HA The following procedure describes the basic workflow for configuring your firewalls in an active/active configuration. However, before you begin, Determine Your Active/Active ...
Configure Active/Passive HA
Configure Active/Passive HA The following procedure shows how to configure a pair of firewalls in an active/passive deployment as depicted in the following example topology. ...
Prerequisites for Active/Active HA
Prerequisites for Active/Active HA To set up active/active HA on your firewalls, you need a pair of firewalls that meet the following requirements: The same ...
Configuration Guidelines for Active/Passive HA
Configuration Guidelines for Active/Passive HA To set up an active (PeerA) passive (PeerB) pair in HA, you must configure some options identically on both firewalls ...
Prerequisites for Active/Passive HA
Prerequisites for Active/Passive HA To set up high availability on your Palo Alto Networks firewalls, you need a pair of firewalls that meet the following ...
HA Links The devices in an HA pair use HA links to synchronize data and maintain state information. on AWS, the VM-Series firewall uses the ...