Please enable JavaScript.
Coggle requires JavaScript to display documents.
HA Links and Backup Links - Coggle Diagram
HA Links and Backup Links
HA1-Control Link
HA State information
management plance sync for routing
heart beats
User id information
exchange hellos
The HA1 link is layer3 and require an IP address
Port use :
28769, 28260
for cleartext, Port 28 for encrypted
HA2- Data link
IPSec security associations
ARP tables between firewalls
forwarding tables
Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive)
synchronize session
it flows from the active or active-primary firewall to the passive or active-secondary firewall
The HA2 link is a Layer 2 link, and
it uses ether type
0x7261
by default.
Port used for HA2 :
IP (99), UDP (29281)
HA4 Link and HA4 Backup Link
HA3-Packet-Forwarding Link
The firewall use this link for forwarding packet to the peer during session setup and asymmetric traffic flow
the dedicated HSCI ports support the HA3 link
The HA3 link is a Layer 2 link that uses MAC-in-MAC encapsulation
The firewall adds a proprietary packet header to packets traversing the HA3 link,
the MTU over this link must be greater than the maximum packet length forwarded.
HA1 and HA2 Backup Links
The HA1-backup link uses port
28770
and
28260
PA-3200 Series firewalls don’t support an IPv6 address for the HA1-backup link
HA backup links must be on a different subnet from the primary HA links.
Palo Alto Networks recommends enabling heartbeat backup
(uses port
28771
on the MGT interface) if you use an inband port for the HA1 or the HA1 backup links
The IP addresses of the primary and backup HA links must not overlap each other