Palo Alto HA
Modes:-
Active/Standby
Active/Active
HA1: Control link, exchange hello messages, Heartbest, HA state information, User ID synchronization and also configuration sync.(28769 and 28260 for clear text communication, port 28 for encrypted)
HA2: Data Link, synchronize session information, forwarding table, ARP, uses ether type 0x7261 by default, use either IP (protocol number 99) or UDP (port 29281)
Backup Links: Provide redundancy for the HA1 and the HA2 links.HA1-backup and HA2-backup ports must be configured on separate physical ports. The HA1-backup link uses port 28770 and 28260
Failover Triggers:-
Heartbeats+Hello Messages
Link Monitoring
Path Monitoring
HA Timers:- Recommended profile for typical failover timer settings
Aggressive profile for faster failover
Advanced profile allows you to customize the timer values
Prerequisites:- Should be Same model, Same Interfaces/OS/Licenses
Select the Interface and select type HA
Under Device-->High Availability--->Setup
Add a Backup Peer HA IP Address if there are enough free ports
Provide the IP and Mask if you need routing capability to reach each other
Transport Methods
Ethernet: Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261)
IP: Use when Layer 3 transport is required (IP protocol number 99)
UDP: Use to take advantage of the fact the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281)
Lower Priority is preferred
Modes:-
Active/Standby
Active/Active
HA1: Control link, exchange hello messages, Heartbest, HA state information, User ID synchronization and also configuration sync.(28769 and 28260 for clear text communication, port 28 for encrypted)
HA2: Data Link, synchronize session information, forwarding table, ARP, uses ether type 0x7261 by default, use either IP (protocol number 99) or UDP (port 29281)
Backup Links: Provide redundancy for the HA1 and the HA2 links.HA1-backup and HA2-backup ports must be configured on separate physical ports. The HA1-backup link uses port 28770 and 28260
Failover Triggers:-
Heartbeats+Hello Messages
Link Monitoring
Path Monitoring
HA Timers:- Recommended profile for typical failover timer settings
Aggressive profile for faster failover
Advanced profile allows you to customize the timer values
Prerequisites:- Should be Same model, Same Interfaces/OS/Licenses
Select the Interface and select type HA
Under Device-->High Availability--->Setup
Add a Backup Peer HA IP Address if there are enough free ports
Provide the IP and Mask if you need routing capability to reach each other
Transport Methods
Ethernet: Use when the firewalls are connected back-to-back or through a switch (Ethertype 0x7261)
IP: Use when Layer 3 transport is required (IP protocol number 99)
UDP: Use to take advantage of the fact the checksum is calculated on the entire packet rather than just the header, as in the IP option (UDP port 29281)
Lower Priority is preferred
No comments:
Post a Comment