https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-pa-450-high-availability-ports/m-p/544378#M1372 <P>Hello everyone, wanted to deploy a pair of PA-450s in HA and I understand there are no dedicated HA ports on this model so we need use data ports - I could not find a deployment guide for the PA-450 to address HA specifically and I assume you could use any data port but does anyone have any experiences when selecting ports for HA? does it matter which ports? The other concern is that I need to use 7 ports for other traffic so I am only left with one data port for HA, can the management port be used for HA2? or HA1?</P> <P>Thank you</P> Thu, 01 Jun 2023 19:04:13 GMT bormanb 2023-06-01T19:04:13Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-pa-450-high-availability-ports/m-p/544378#M1372 <P>Hello everyone, wanted to deploy a pair of PA-450s in HA and I understand there are no dedicated HA ports on this model so we need use data ports - I could not find a deployment guide for the PA-450 to address HA specifically and I assume you could use any data port but does anyone have any experiences when selecting ports for HA? does it matter which ports? The other concern is that I need to use 7 ports for other traffic so I am only left with one data port for HA, can the management port be used for HA2? or HA1?</P> <P>Thank you</P> Thu, 01 Jun 2023 19:04:13 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-pa-450-high-availability-ports/m-p/544378#M1372 bormanb 2023-06-01T19:04:13Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-pa-450-high-availability-ports/m-p/544487#M1374 <P>HA1 is used to synchronize config and send heart beats. This is task of management plane so if firewall don't have dedicated HA1 port then it is best practice to use management interface for HA1.</P> <P>HA2 is used to synchronize session table. Session table is on data plane. You can use any data port for HA2.</P> <P>&nbsp;</P> <P>If you need only 7 ports and can use 1 for HA2 then it is perfect setup.</P> <P>If you don't have any available data ports to use for HA2 then you can use only 1 link between firewalls - mgmt port for HA1.</P> <P>But in this case passive firewall has no idea of session table and if you fail over then all clients loose their active sessions and need to rebuild (not user friendly :)).</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 02 Jun 2023 04:02:51 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-pa-450-high-availability-ports/m-p/544487#M1374 Raido_Rattameister 2023-06-02T04:02:51Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-pa-450-high-availability-ports/m-p/544522#M1379 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/293962">@bormanb</a>&nbsp;- It is always a best practice to use 1 ethernet port for HA1 (in case of a firewall failure a split brain condition would surface) &amp; always use another ethernet port for HA2 (for session sync).</P> <P>&nbsp;</P> <P>In your scenario, you have make adjustments to lower the port count to 6 for external use. I would keep the MGMT port strictly for management purposes which connects to a TOR switch</P> Fri, 02 Jun 2023 08:17:23 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-pa-450-high-availability-ports/m-p/544522#M1379 ToughGuy_PAN 2023-06-02T08:17:23Z https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-pa-450-high-availability-ports/m-p/544554#M1381 <P>Best practice is to use management port for HA1 and one dataplane port for HA1-backup to avoid split brain.</P> <P>As mentioned HA1 is related to management plane so running HA1 on dataplane port is not most optimal.</P> Fri, 02 Jun 2023 12:14:42 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/palo-pa-450-high-availability-ports/m-p/544554#M1381 Raido_Rattameister 2023-06-02T12:14:42Z