HA Ports on Palo Alto Networks Firewalls
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
HA Ports on Palo Alto Networks Firewalls
Learn about HA ports available on Palo Alto Networks®
firewalls.
When connecting two Palo Alto Networks® firewalls in
a high availability (HA) configuration, we recommend that you use
the dedicated HA ports for HA
Links and Backup Links. These dedicated ports include: the
HA1 ports labeled HA1, HA1-A, and HA1-B used for HA control and
synchronization traffic; and HA2 and the High Speed Chassis Interconnect
(HSCI) ports used for HA session setup traffic. The PA-5200 Series
firewalls have multipurpose auxiliary ports labeled AUX-1 and AUX-2
that you can configure for HA1 traffic.
You can also configure the HSCI port for HA3, which is used for
packet forwarding to the peer firewall during session setup and
asymmetric traffic flow (active/active HA only). The HSCI port can
be used for HA2 traffic, HA3 traffic, or both.
The HA1 and AUX links provide synchronization
for functions that reside on the management plane. Using the dedicated
HA interfaces on the management plane is more efficient than using
the in-band ports as this eliminates the need to pass the synchronization
packets over the dataplane.
You can configure data ports as both dedicated HA interfaces and as dedicated backup
HA interfaces. For firewalls without dedicated HA interfaces, such as the PA-200 and
PA-400 Series, it is required to configure a data port as a HA interface.
Data ports configured as HA1, HA2, or HA3 interfaces can be connected directly to
each HA interface on the firewall or connected through a Layer2 switch. For data
ports configured as an HA3 interface, you must enable jumbo frames as HA3 messages
exceed 1,500 bytes.
Whenever possible, connect HA ports directly
between the two firewalls in an HA pair (not through a switch or
router) to avoid HA link and communications problems that could
occur if there is a network issue.
Use the following table to learn about dedicated HA ports and
how to connect the HA
Links and Backup Links:
Model | Front-Panel Dedicated Port(s) |
---|---|
PA-800 Series Firewalls |
|
PA-3200 Series Firewalls |
|
PA-3400 Series Firewalls |
The management interface cannot be configured
as a HA port. |
PA-5200 Series Firewalls |
|
PA-5200 Series Firewalls (continued) |
|
PA-5400 Series Firewalls (PA-5410, PA-5420,
and PA-5430) |
|
PA-5450 Firewall |
|
PA-7000 Series Firewalls |
HA2 and HA2-Backup
links can be configured to use a dataplane interface instead of
the HSCI ports. However, if configured this way, both the HA2 and
HA2-Backup links need to use dataplane interfaces. A mix of a dataplane
port and an HSCI port for either HA2 or HA2-Backup will result in
a commit failure. This applies to the PA-7050-SMC, PA-7080-SMC,
PA-7050-SMC-B, and PA-7080-SMC-B. |