How to Configure HA Backup Links

How to Configure HA Backup Links

28039
Created On 09/25/18 17:58 PM - Last Modified 07/08/23 00:39 AM


Environment


Pair of identical Palo Alto Networks firewalls

Resolution


You can configure the HA-Backup Links from the Web UI or the CLI. See below for steps on both. 

From the Web UI
  1. Identify which physical interfaces on the firewall will be used as HA1, HA1-Backup, HA2, and HA2-Backup links. See HA Ports on Palo Alto Networks Firewalls and HA Active/Passive Best Practices for guidance
  2. Go to Device > High Availability HA Communications > click Edit on HA1 Backup
Configuring HA links
Repeat the steps above for the HA1, HA1-Backup, HA2, and HA2-Backup links

Note:  If you plan to use a data interface as an HA interface, you must first change that data interface to be Interface Type of HA. To do this, navigate to Network > Interfaces > edit Interface > change Interface Type to HA:
Changing Interface Type to HA in Network Interfaces
Note: For firewalls without dedicated HA interfaces, such as the PA-200 and PA-400 Series, it is required to configure a data port as a HA interface.
  1. Type an IP Address, Netmask, and Gateway
How to configure IP Address Netmask Gateway HA1 Backup Link
  1. Perform a Commit
From the CLI
  1. Run the configure command to enter the configuration mode
> configure
  1. Use the set command to configure the <ha1-backup or ha2-backupport, ip-address, netmask, and gateway
set deviceconfig high-availability interface ha1-backup port ethernet1/7
set deviceconfig high-availability interface ha1-backup ip-address 192.168.1.10
set deviceconfig high-availability interface ha1-backup netmask 255.255.255.0
set deviceconfig high-availability interface ha1-backup gateway 192.168.1.1
  1. Run commit to commit the changes

NOTE: To verify changes see Additional Notes
 

Additional Information


HA Communications
HA Links and Backup Links
HA Ports on Palo Alto Networks Firewalls

To Verify Changes
  1. (Optional) For easier viewing change config-output-format to set
> set cli config-output-format set
  1. Enter configure mode
> configure
  1. Use show command to view changes
# show deviceconfig high-availability interface ha1-backup
set deviceconfig high-availability interface ha1-backup port ethernet1/7
set deviceconfig high-availability interface ha1-backup ip-address 192.168.1.10
set deviceconfig high-availability interface ha1-backup netmask 255.255.255.0
set deviceconfig high-availability interface ha1-backup gateway 192.168.1.1

# show deviceconfig high-availability interface ha2-backup
set deviceconfig high-availability interface ha2-backup port ethernet1/8
set deviceconfig high-availability interface ha2-backup ip-address 192.168.2.10
set deviceconfig high-availability interface ha2-backup netmask 255.255.255.0
set deviceconfig high-availability interface ha2-backup gateway 192.168.2.1

The HA1-Backup and HA2-Backup links provide redundancy for the HA1 and the HA2 links. In-band ports can be used for backup links for both HA1 and HA2 connections when dedicated backup links are not available. Consider the following guidelines when configuring backup HA links:
  • The IP addresses of the primary and backup HA links must not overlap each other.
  • HA backup links must be on a different subnet from the primary HA links.
  • HA1-backup and HA2-backup ports must be configured on separate physical ports. The HA1-backup link uses port 28770 and 28260.
  • PA-3200 Series firewalls don’t support an IPv6 address for the HA1-backup link; use an IPv4 address.
Tip: Palo Alto Networks recommends enabling heartbeat backup (uses port 28771 on the MGT interface) if you use an in-band port for the HA1 or the HA1 backup links.

For additional guidance, refer to High Availability - HA Heartbeat Backup
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClM0CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language