The devices in an HA pair use HA links to synchronize
data and maintain state information. on AWS, the VM-Series firewall
uses the following ports:
—The HA1 link is used to exchange
hellos, heartbeats, and HA state information, and management plane
sync for routing and User-ID information. This link is also used
to synchronize configuration changes on either the active or passive
device with its peer.
The Management port is used for HA1.
TCP port 28769 and 28260 for cleartext communication; port 28 for
encrypted communication (SSH over TCP).
—The HA2 link is used to synchronize sessions,
forwarding tables, IPSec security associations and ARP tables between
devices in an HA pair. Data flow on the HA2 link is always unidirectional
(except for the HA2 keep-alive); it flows from the active device
to the passive device.
Ethernet1/1 must be assigned as the
HA2 link; this is required to deploy the VM-Series firewall on AWS
in HA. The HA data link can be configured to use either IP (protocol
number 99) or UDP (port 29281) as the transport.
The VM-Series firewall on AWS does not support backup links for
HA1 or HA2.