Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Cyber Elite
Cyber Elite

HA1 is used to synchronize config and send heart beats. This is task of management plane so if firewall don't have dedicated HA1 port then it is best practice to use management interface for HA1.

HA2 is used to synchronize session table. Session table is on data plane. You can use any data port for HA2.


If you need only 7 ports and can use 1 for HA2 then it is perfect setup.

If you don't have any available data ports to use for HA2 then you can use only 1 link between firewalls - mgmt port for HA1.

But in this case passive firewall has no idea of session table and if you fail over then all clients loose their active sessions and need to rebuild (not user friendly :)).



Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Who rated this post