06-01-2023 12:04 PM
Hello everyone, wanted to deploy a pair of PA-450s in HA and I understand there are no dedicated HA ports on this model so we need use data ports - I could not find a deployment guide for the PA-450 to address HA specifically and I assume you could use any data port but does anyone have any experiences when selecting ports for HA? does it matter which ports? The other concern is that I need to use 7 ports for other traffic so I am only left with one data port for HA, can the management port be used for HA2? or HA1?
Thank you
06-01-2023 08:57 PM - edited 06-01-2023 09:02 PM
HA1 is used to synchronize config and send heart beats. This is task of management plane so if firewall don't have dedicated HA1 port then it is best practice to use management interface for HA1.
HA2 is used to synchronize session table. Session table is on data plane. You can use any data port for HA2.
If you need only 7 ports and can use 1 for HA2 then it is perfect setup.
If you don't have any available data ports to use for HA2 then you can use only 1 link between firewalls - mgmt port for HA1.
But in this case passive firewall has no idea of session table and if you fail over then all clients loose their active sessions and need to rebuild (not user friendly :)).
06-01-2023 08:57 PM - edited 06-01-2023 09:02 PM
HA1 is used to synchronize config and send heart beats. This is task of management plane so if firewall don't have dedicated HA1 port then it is best practice to use management interface for HA1.
HA2 is used to synchronize session table. Session table is on data plane. You can use any data port for HA2.
If you need only 7 ports and can use 1 for HA2 then it is perfect setup.
If you don't have any available data ports to use for HA2 then you can use only 1 link between firewalls - mgmt port for HA1.
But in this case passive firewall has no idea of session table and if you fail over then all clients loose their active sessions and need to rebuild (not user friendly :)).
06-02-2023 01:16 AM - edited 06-02-2023 01:17 AM
@bormanb - It is always a best practice to use 1 ethernet port for HA1 (in case of a firewall failure a split brain condition would surface) & always use another ethernet port for HA2 (for session sync).
In your scenario, you have make adjustments to lower the port count to 6 for external use. I would keep the MGMT port strictly for management purposes which connects to a TOR switch
06-02-2023 05:14 AM
Best practice is to use management port for HA1 and one dataplane port for HA1-backup to avoid split brain.
As mentioned HA1 is related to management plane so running HA1 on dataplane port is not most optimal.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
