Do Management Port, Console Port use MP?

Thanks for your response;

I confirmed that HA1 Backup Port connect to Dataplane

As you know HA1 Link is communicate each other same devices by ping protocol

200, 500, 2000 and above Devices's HA1 backup port

suddenly If MP is restarted about what problem

Doesn't keep ping communication normally?

anyway, even though MP has problem, regardless mgt port, HA1 Backup Port will probably operate normally on behalf of HA1 Port

because, HA1 backup port associate Data Plane, Is it right? I feel suspicious

I guess, It's likely to occur problem, If HA backup port relate MP porcess

I don't know about that why I feel curious

HA1 backup port associate Data Plane, Is it right? false wihile you you have a dedicated interface HA1 and as a best practice you have to use the management port as backup

https://live.paloaltonetworks.com/docs/DOC-5086

Page 13

High Availability Link Failure

Palo Alto Networks firewalls use HA Links to synchronize information and to send session and session state information between HA pair members. Depending on the firewall model, dedicated HA interfaces may or may not be available. If

dedicated HA interfaces are available, best practice is to use these ports for the primary HA links and to configure HA Backup links to help prevent configuration mismatches, synchronization loss, and split brain conditions.

HA1 Link Failure

If the HA1 Link fails and there is no HA1 Backup configured, configuration synchronization will fail and a split brain condition will be created. Split brain conditions occur when HA members can no longer communicate with each other to exchange HA monitoring information. Each HA member will assume the other member is in a non-functional state and take over as the Active (A/P) or Active-Primary (A/A). Split brain conditions can be prevented by configuring an HA1 Backup link and/or enabling Heartbeat Backup.

Two types of messages are sent between peers when HA is enabled.  The Control Link (HA1) communicates over a TCP connection.  The first is the 'Hello' message.  The second is the 'Heartbeat' message.

more information about  Heart beat here

https://live.paloaltonetworks.com/docs/DOC-2195

Hello Message

The 'Hello' message is sent from each peer to the other once every configured 'Hello Interval'.  It determines if the HA Agent is running.  No response is sent by the recipient.  This message is also sent if there is a HA state change or other informational changes are needed.  This message communicates:

• HA state of the device
• Device Priority
• HA2 (Data Link) cookie
• If the 'ha_lib' connection is seen locally ('sysd' peer connection)

It will also send this information when it has changed:

• If 'Config Sync' is enabled
• Config MD5SUM (to know if we are in config sync)
• When a commit fail has occurred
• Time sync if you push the time from the local to the peer

Hearbeat Message

The 'Heartbeat' message is an ICMP Ping that is sent to its peer every configured 'Heartbeat Interval'.  It verifies network connectivity with the HA peer.

And for the last  question if the management plane (control plane) failed or restart, normaly in A/P the apliance which failed couldn't be elected active for me. that ovoid the split brain.

I hope that help you !

If the on 1 appliance you stop the management plane the other appliance don't see the stoped appliance and stay actif or migrate to the activ state 

I believe there's a dead timer timeout for HA, where if one of the peers isn't seen for a period of time the inactive peer will take over. Also if you were going to restart the management plane or something drastic like that, you should deliberately suspend the active peer and make sure the secondary takes over, then do whatever maintenance is needed on the suspended firewall, then un-suspend it.