Firewalls configured as High
Availability (HA) peers must be able to communicate with
each other to maintain state information (HA1 control link) and synchronize
data (HA2 data link). In Active/Active HA deployments the peer firewalls
must also forward packets to the HA peer that owns the session.
The HA3 link is a Layer 2 (MAC-in-MAC) link and it does not support
Layer 3 addressing or encryption.
Destination Port
Protocol
Description
28764
TCP
Port used for HA1 sysd ssh tunneled
communication.
28765
TCP
Port used for backup HA1 sysd ssh tunneled
communication.
28766
TCP
Port used for HA1 ssh tunneled communication.
28767
TCP
Port used for backup HA1 ssh tunneled
communication.
28769
28260
TCP
TCP
Used for the HA1 control link for clear
text communication between the HA peer firewalls. The HA1 link is
a Layer 3 link and requires an IP address.
28
TCP
Used for the HA1 control link for encrypted
communication (SSH over TCP) between the HA peer firewalls.
28770
TCP
Listening port for HA1 backup links.
28771
TCP
Used for heartbeat backups. Palo Alto Networks
recommends enabling heartbeat backup on the MGT interface if you
use an in-band port for the HA1 or the HA1 backup links.
99
29281
IP
UDP
Used for the HA2 link to synchronize sessions, forwarding tables, IPSec security associations and
ARP tables between firewalls in an HA pair. Data flow on the HA2
link is always unidirectional (except for the HA2 keep-alive); it
flows from the active firewall (Active/Passive) or active-primary
(Active/Active) to the passive firewall (Active/Passive) or
active-secondary (Active/Active). The HA2 link is a Layer 2 link,
and it uses ether type 0x7262 by default.
The
HA data link can also be configured to use either IP (protocol number
99) or UDP (port 29281) as the transport, and thereby allow the
HA data link to span subnets.