HA1 backup port associate Data Plane, Is it right? false wihile you you have a dedicated interface HA1 and as a best practice you have to use the management port as backup https://live.paloaltonetworks.com/docs/DOC-5086 Page 13 High Availability Link Failure Palo Alto Networks firewalls use HA Links to synchronize information and to send session and session state information between HA pair members. Depending on the firewall model, dedicated HA interfaces may or may not be available. If dedicated HA interfaces are available, best practice is to use these ports for the primary HA links and to configure HA Backup links to help prevent configuration mismatches, synchronization loss, and split brain conditions. HA1 Link Failure If the HA1 Link fails and there is no HA1 Backup configured, configuration synchronization will fail and a split brain condition will be created. Split brain conditions occur when HA members can no longer communicate with each other to exchange HA monitoring information. Each HA member will assume the other member is in a non-functional state and take over as the Active (A/P) or Active-Primary (A/A). Split brain conditions can be prevented by configuring an HA1 Backup link and/or enabling Heartbeat Backup. Two types of messages are sent between peers when HA is enabled. The Control Link (HA1) communicates over a TCP connection. The first is the 'Hello' message. The second is the 'Heartbeat' message. more information about Heart beat here https://live.paloaltonetworks.com/docs/DOC-2195 Hello Message The 'Hello' message is sent from each peer to the other once every configured 'Hello Interval'. It determines if the HA Agent is running. No response is sent by the recipient. This message is also sent if there is a HA state change or other informational changes are needed. This message communicates: HA state of the device Device Priority HA2 (Data Link) cookie If the 'ha_lib' connection is seen locally ('sysd' peer connection) It will also send this information when it has changed: If 'Config Sync' is enabled Config MD5SUM (to know if we are in config sync) When a commit fail has occurred Time sync if you push the time from the local to the peer Hearbeat Message The 'Heartbeat' message is an ICMP Ping that is sent to its peer every configured 'Heartbeat Interval'. It verifies network connectivity with the HA peer. And for the last question if the management plane (control plane) failed or restart, normaly in A/P the apliance which failed couldn't be elected active for me. that ovoid the split brain. I hope that help you !
... View more
