Palo Alto Networks Certified Network Security Engineer
Palo Alto Networks Certified Network Security Engineer (PCNSE)
Palo Alto Firewalls: HA Pairing
Two types of stateful high availability are available for Palo Alto firewalls: session and configuration synchronization.
Passive/Active: This mode allows one firewall to handle traffic actively while the other is synchronized and ready to take control in the event that there is a failure. Both firewalls use the same configuration parameters. One firewall handles traffic active until a path, connection or system breaks.
The passive firewall automatically switches to active mode when the active firewall is down. It enforces the same regulations and ensures network security. Active/passiveHA supports Layer 2, Layer 3 and virtual wire deployments.
Active/Active: Both paired firewalls can be operational at the same time, processing traffic and session establishment. Both firewalls have their session tables and routing tables, which are synchronized. Active/active HA supports Layer 3 deployments and virtual wire deployments.
How HA Pair Link Works
Firewalls use HA links to synchronize data and keep state information. Some firewall models have HA ports that are specific to them, such as Datalink (HA1) or Control link (HA2), while others require that you use in-band ports as the HA links. Use dedicated HA ports on firewalls that have dedicated HA ports to manage communication and synchronization between firewalls.
Here are the HA links that have a specific job.
The Control Link, also known by the HA1 Link is used to send and get messages such as:
Information about the HA state
Management plane sync for routing
Information about user-ID