In addition to HA1 and HA2 links, an active/active
deployment also requires a dedicated HA3 link. The firewalls use
this link for forwarding packets to the peer during session setup
and asymmetric traffic flow. The HA3 link is a Layer 2 link that
uses MAC-in-MAC encapsulation. It does not support Layer 3 addressing
or encryption. PA-7000 Series firewalls synchronize sessions across
the NPCs one-for-one. On PA-800 Series, PA-3200 Series, and PA-5200
Series firewalls, you can configure aggregate interfaces as an HA3
link. The aggregate interfaces can also provide redundancy for the
HA3 link; you cannot configure backup links for the HA3 link. On
PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls, the
dedicated HSCI ports support the HA3 link. The firewall adds a proprietary
packet header to packets traversing the HA3 link, so the MTU over
this link must be greater than the maximum packet length forwarded. |