HA Links

The devices in an HA pair use HA links to synchronize data and maintain state information. on AWS, the VM-Series firewall uses the following ports:
  • Control Link—The HA1 link is used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing and User-ID information. This link is also used to synchronize configuration changes on either the active or passive device with its peer.
    The Management port is used for HA1. TCP port 28769 and 28260 for cleartext communication; port 28 for encrypted communication (SSH over TCP).
  • Data Link—The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between devices in an HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the active device to the passive device.
    Ethernet1/1 must be assigned as the HA2 link. The HA data link can be configured to use either IP (protocol number 99) or UDP (port 29281) as the transport.
The VM-Series on AWS does not support backup links for HA1 or HA2.

