High availability (HA), is a configuration in which two firewalls are connected and their configurations are synchronized. This prevents your network from experiencing a single point failure. A heartbeat link between the firewall peers allows for smooth failover in the event of one of the firewall peers going down. Two firewalls in a high availability pair provides redundancy and business continuity.
You can reduce downtime by ensuring that a peer firewall is available in case the primary firewall fails. The firewalls in a pair use dedicated or in-band ports to synchronize data (network, object, policy configurations) and keep state information.
Firewall-specific settings such as management interface IP addresses, administrator profiles, HA configuration, log data, ACC information, and other configurations are not shared among peers.
Two firewalls from Palo Alto Networks can be connected to create an HA pair. Both HA peers must be running the same version PAN-OS.
A failover occurs when one firewall in a HA pair goes down and the peer firewall assumes responsibility for traffic protection. These are the circumstances that can cause a failover.
One or more of these interfaces fail
The firewall is not responding correctly to polls’ heartbeats
It is impossible to access any of the designated destinations for firewalls
Hardware fails
Palo Alto Firewalls: HA Pairing
Two types of stateful high availability are available for Palo Alto firewalls: session and configuration synchronization.
Passive/Active: This mode allows one firewall to handle traffic actively while the other is synchronized and ready to take control in the event that there is a failure. Both firewalls use the same configuration parameters. One firewall handles traffic active until a path, connection or system breaks.
The passive firewall automatically switches to active mode when the active firewall is down. It enforces the same regulations and ensures network security. Active/passiveHA supports Layer 2, Layer 3 and virtual wire deployments.
Active/Active: Both paired firewalls can be operational at the same time, processing traffic and session establishment. Both firewalls have their session tables and routing tables, which are synchronized. Active/active HA supports Layer 3 deployments and virtual wire deployments.
How HA Pair Link Works
Firewalls use HA links to synchronize data and keep state information. Some firewall models have HA ports that are specific to them, such as Datalink (HA1) or Control link (HA2), while others require that you use in-band ports as the HA links. Use dedicated HA ports on firewalls that have dedicated HA ports to manage communication and synchronization between firewalls.
Here are the HA links that have a specific job.
Control Link
The Control Link, also known by the HA1 Link is used to send and get messages such as:
Hello messages
Heartbeats
Information about the HA state
Management plane sync for routing
Information about user-ID
Control Link (HA1) is also used by firewalls to synchronize configuration changes between peers. It is a Layer 3 link and requires an IP address. It uses ICMP to exchange heartbeats among HA peers.
HA1 uses the following ports:
TCP port: 28769, TCP port: 28260 for clear text communication
port 28 for encrypted communication
Data Link
The Data Link is also known by HA2 link and:
Synchronize sessions
Forwarding tables
IPSec security organizations, and
Uses ARP tables to connect firewalls in an HAA
Except for the HA2 keepalive, data flow over the HA2 connection remains unidirectional. It moves from the active firewall to the passive firewall. The HA2 link, a Layer 2 link, defaults to ether type 0.7261
The HA data connection uses either UDP port: 29281 or IP protocol: 99 as the transport protocol. This allows it to span subnets.
Packet Forwarding Link
The packet
