High Availability (HA) Interfaces in Palo Alto Networks Firewalls

Types of HA Interfaces

• HA1 (Control Link): Layer 3 interface used to exchange hello messages, heartbeats, and HA state information. It also syncs routing, User-ID, and configuration changes. Ports: TCP 28769/28260 (cleartext), port 28 (SSH over TCP if encryption is enabled)
• HA2 (Data Link): Layer 2 interface used to sync sessions, ARP tables, forwarding tables, and IPSec SAs. Ports: protocol 99 or UDP 29281 (if routed)
• HA3 (Packet Forwarding Link): Layer 2 interface used in active/active deployments for forwarding packets during asymmetric flow or session setup. Uses MAC-in-MAC encapsulation. Requires jumbo frames
• HA4 / HA4 Backup: Used in HA clustering for session cache synchronization. Works with Layer 2 keepalives and supports multi-firewall clusters

Dedicated HA Ports (per Model)

• PA-800 Series: Dedicated HA1 and HA2 ports (1Gbps). Use direct or switch connections.
• PA-3200 / PA-5200 / PA-7000 Series: Use HA1-A and HA1-B for primary/backup HA1. HSCI ports support HA2/HA3. AUX ports on PA-5200 are multi-use for HA1 or Panorama logging
• PA-5450: SFP/SFP+ ports for HA1-A and HA1-B; HSCI-A/B for HA2 and HA3. All connections must be direct, not routable

Using Data Ports and Management Ports

• Firewalls without dedicated HA ports (e.g., PA-220) may use the management port for HA1 and data ports for HA2 and HA1-backup.
• When using management ports, add the peer IP to the permitted list if configured
• Data ports configured as HA interfaces must use jumbo frames for HA3 due to larger packet size

Best Practices

• Connect HA links directly when possible to avoid network-induced split-brain conditions
• Enable heartbeat backup on the management interface or in-band port if HA1 or HA1-backup uses it. Heartbeat uses TCP port 28771
• Ensure backup links are on a different subnet and do not overlap with primary HA IPs

Mermaid Flow Diagram - HA Interfaces Role

flowchart TD
  MGT[Management Plane]
  DP[Data Plane]

  subgraph Control_Link
    HA1[HA1: Hello, Heartbeats, Config Sync]
    HA1B[HA1 Backup: Redundancy]
  end

  subgraph Data_Link
    HA2[HA2: Session Sync]
    HA2B[HA2 Backup: Redundancy]
  end

  subgraph Packet_Forwarding_Link
    HA3[HA3: Active/Active Packet Forwarding]
  end

  subgraph Cluster_Sync
    HA4[HA4: Cluster Session Sync]
    HA4B[HA4 Backup: Redundancy]
  end

  MGT --> HA1
  MGT --> HA1B
  DP --> HA2
  DP --> HA2B
  DP --> HA3
  DP --> HA4
  DP --> HA4B
    

PCNSE Practice Questions: HA Interfaces

1. Which interface is used to synchronize session tables between HA peers in a Palo Alto Networks firewall deployment?
   A. HA1
   B. HA2
   C. HA3
   D. Management
   Answer: B
   Explanation: The HA2 link is used for state synchronization including session tables, routing tables, and forwarding tables between HA peers.
2. In an active/active HA configuration, which HA link is responsible for forwarding asymmetric traffic flows between firewalls?
   A. HA1
   B. HA2
   C. HA3
   D. HA1 Backup
   Answer: C
   Explanation: HA3 is used in active/active mode for packet forwarding when traffic must be sent from one peer to another.
3. What is the default transport protocol and port for the HA1 link when encryption is disabled?
   A. UDP 28260
   B. TCP 28769
   C. Protocol 99
   D. UDP 29281
   Answer: B
   Explanation: HA1 uses TCP port 28769 by default for heartbeat and control message exchange when encryption is not enabled.
4. Which of the following statements is TRUE regarding HA interface configuration?
   A. HA2 must always be configured with a routable IP address.
   B. HA1 links can only use physical interfaces.
   C. Management interfaces can be used for HA1 communication in certain models.
   D. HA3 can only be used on loopback interfaces.
   Answer: C
   Explanation: On firewalls without dedicated HA ports, the management interface may be used for HA1, especially on models like PA-220.

References

• HA Links and Backup Links - PAN-OS