Learn about HA clustering use cases and deployments.
A number of Palo Alto Networks® firewall
models now support session state synchronization among firewalls
in a high availability (HA) cluster of up to 16 firewalls. The HA
cluster peers synchronize sessions to protect against failure of
the data center or a large security inspection point with horizontally scaled
firewalls. In the case of a network outage or a firewall going down,
the sessions fail over to a different firewall in the cluster. Such
synchronization is especially helpful in the following use cases.
One use case is when HA peers are spread across multiple data
centers so that there is no single point of failure within or between
data centers. A second multi-data center use case is when one data
center is active and the other is standby.
A third HA clustering use case is horizontal scaling, in which
you add HA cluster members to a single data center to scale security
and ensure session survivability.
HA clusters support a Layer 3 or virtual wire deployment. HA
peers in the cluster can be a combination of HA pairs and standalone
cluster members. In an HA cluster, all members are considered active;
there is no concept of passive firewalls except for HA pairs, which
can keep their active/passive relationship after you add them to
an HA cluster.
All cluster members share session state. When a new firewall
joins an HA cluster, that triggers all firewalls in the cluster
to synchronize all existing sessions. HA4 and HA4 backup connections
are the dedicated cluster links that synchronize session state among
all cluster members having the same cluster ID. The HA4 link between
cluster members detects connectivity failures between cluster members. HA1
(control link), HA2 (data link), and HA3 (packet-forwarding link)
are not supported between cluster members that aren’t HA pairs.
For a normal session that has not failed over, only the firewall
that is the session owner creates a traffic log. For a session that
failed over, the new session owner (the firewall that receives the
failed over traffic) creates the traffic log.
The firewall models that support HA clustering and the maximum
number of members supported per cluster are as follows:
Firewall Model
Number of Members Supported Per Cluster
PA-3200 Series
6
PA-3400 Series
6
PA-5200 Series
16
PA-5400 Series
8
PA-7000 Series firewalls that have at least
one of the following cards: PA-7000-100G-NPC, PA-7000-20GQXM-NPC,
PA-7000-20GXM-NPC