Palo PA-450 High Availability ports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo PA-450 High Availability ports

L0 Member

Hello everyone, wanted to deploy a pair of PA-450s in HA and I understand there are no dedicated HA ports on this model so we need use data ports - I could not find a deployment guide for the PA-450 to address HA specifically and I assume you could use any data port but does anyone have any experiences when selecting ports for HA? does it matter which ports? The other concern is that I need to use 7 ports for other traffic so I am only left with one data port for HA, can the management port be used for HA2? or HA1?

Thank you

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

HA1 is used to synchronize config and send heart beats. This is task of management plane so if firewall don't have dedicated HA1 port then it is best practice to use management interface for HA1.

HA2 is used to synchronize session table. Session table is on data plane. You can use any data port for HA2.

 

If you need only 7 ports and can use 1 for HA2 then it is perfect setup.

If you don't have any available data ports to use for HA2 then you can use only 1 link between firewalls - mgmt port for HA1.

But in this case passive firewall has no idea of session table and if you fail over then all clients loose their active sessions and need to rebuild (not user friendly :)).

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

HA1 is used to synchronize config and send heart beats. This is task of management plane so if firewall don't have dedicated HA1 port then it is best practice to use management interface for HA1.

HA2 is used to synchronize session table. Session table is on data plane. You can use any data port for HA2.

 

If you need only 7 ports and can use 1 for HA2 then it is perfect setup.

If you don't have any available data ports to use for HA2 then you can use only 1 link between firewalls - mgmt port for HA1.

But in this case passive firewall has no idea of session table and if you fail over then all clients loose their active sessions and need to rebuild (not user friendly :)).

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L2 Linker

@bormanb - It is always a best practice to use 1 ethernet port for HA1 (in case of a firewall failure a split brain condition would surface) & always use another ethernet port for HA2 (for session sync).

 

In your scenario, you have make adjustments to lower the port count to 6 for external use. I would keep the MGMT port strictly for management purposes which connects to a TOR switch

Cyber Elite
Cyber Elite

Best practice is to use management port for HA1 and one dataplane port for HA1-backup to avoid split brain.

As mentioned HA1 is related to management plane so running HA1 on dataplane port is not most optimal.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 2955 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!