topic Re: HSBI and HA in General Topics

HSBI and HA

Ramakrishnan — Tue, 05 Dec 2023 17:01:32 GMT

Folks,

I would like understand the difference between HSBI and HA1, HA1B, HA2, HA2B

As per my understanding

HA1 for control & HA1B for backup link

HA2 for data & HA2B for backup link

control carries heartbeats and communication

Dara traffic carries Ip table, arp table, session table? Is that correct?

For state full session sync up we “must” use HSBI link? Or it can be used for over HA2?

I have little expertise in PA, but I never see such implementation?

can you please clarify?

your swift response is much appreciated

Re: HSBI and HA

reaper — Wed, 06 Dec 2023 14:41:03 GMT

HA1 is the 'brains' of the HA cluster, sharing configuration, routing information, control messages to see if the peer is alive and functional, etc.

HA1b is a backup link (if for some reason HA1 is disconected but both firewalls are still fully functional, they will assume the remote peer is down and both start accepting packets at the same time, this is not fun to have happen, so make sure to set up HA1b)

HA2 is where the session table gets synced so if a firewall goes down the perr can pick up existing sessions

ha2b is the backup link

you are not required to use the HSCI link, you can assign the type 'HA' to dataplane interfaces and use those instead

you cannot use HSCI for HA1 connections, but you should either use the dedidicated HA1a/HA1b, the AUX1/AUX2, or dataplane interfaces (dedicated links preferred)

Re: HSBI and HA

Ramakrishnan — Thu, 07 Dec 2023 04:17:07 GMT

I have one last doubt/clarity.

If we run HA1 and HA2 between firewalls as below back-to-back links.

[FW1 HA1 < --- > FW2 HA1] - No backup link considered

[FW1 HA2 < -- > FW2 HA2] - No backup link considered

So No need of HSCI, since all session sync up will happen over HA2 ? So during Active device fails passive will become active and pick up the session, from an end-user perspective no need for session reinitiation? Is my understanding correct?

Re: HSBI and HA

Ramakrishnan — Fri, 08 Dec 2023 05:12:48 GMT

I have two 1410 firewall. I have connected two cables on HA1a, HA1b and HSCI. Now should I use HSCI port for HA2 communication? In fact, its forcibly selected HSCI for HA2 communication, please help me understand.

My second question is its not mandate to configure IP for HA2 correct? And HA1 we need give same IP under the general settings?

Re: HSBI and HA

aleksandar.astardzhiev — Fri, 08 Dec 2023 13:00:01 GMT

Hi @Ramakrishnan,

Please check the following documentations -
https://docs.paloaltonetworks.com/hardware/pa-1400-hardware-reference/pa-1400-series-overview/front-panel-1400-series
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links/ha-ports-on-the-pa-7000-series-firewall
HSCI is high speed interface, which main purpose is to be used for HA2. As @reaper already mentined HA2 is data link, it is used to sync session information between the two HA members. (and also forward traffic in case you use active/active).

So if you have the physical capability to connect both member directly (no routers, no switches, no other intermediate devices), it is always recommend to use the HSCI for HA2.

If you cannot connect both peer directly, you can reserve one of the data plane interfaces for HA and then configure HA2 to use that dataplane interface. By default no dataplane interface is being reserved for HA, that is why when you try to edit HA your dropdown offers only HSCI.

Regarding the IP addresses:

- As you can see from above links HSCI is layer1 interface, so must use "ethernet" for HA2 transport, which used PAN custom/properiotry ethernet frames which doesn't use IP address. So even if you set some addresses they will be ignored if transport is set to ethernet

Transport —Choose one of the following transport options: Ethernet —Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261). IP —Use when Layer 3 transport is required (IP protocol number 99). UDP —Use to take advantage of the fact that the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281). The benefit of using UDP mode is the presence of the UDP checksum to verify the integrity of a session sync message.

For HA1 you must use IP addresses and you must have different addresses for each member. If you connect them directly you have to specify the same subnet. If they are not connected directly you should configure a gateway which will route between the two networks.

Re: HSBI and HA

ModestaZieme — Fri, 12 Jan 2024 10:55:12 GMT

Thanks for answering, I appreciate you, you made my day.