HA3 Link Connectivity Through a Layer 2 Switch?

• Palo Alto 800, 3200 and PA-5200 Series firewalls
• Supported PAN-OS.

1. Yes, the HA3 interface on an HA (High Availability) Active - Active setup can be connected through a Layer 2 switch between the HA pair.
2. A switch supporting jumbo frame is required.
3. Jumbo frame support does not explicitly need to be enabled on the Palo Alto Networks firewall, as the HA3 interface supports jumbo frames independently of the system configuration.

Note:

• On PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls, the dedicated HSCI ports support the HA3 link.
• The traffic carried on the HSCI ports is raw Layer 1 traffic, which is not routable or switchable. Therefore, you must connect the HSCI ports directly to each other 
• Refer HA Links and Backup Links  and  HA Ports on Palo Alto Networks Firewalls for detailed information.

In a High Availability (HA) configuration, HA3 uses L2 between the firewalls. The firewall will add 18 bytes to the frame. Without support for jumbo frames, network traffic with frame size over 1514 may get dropped by the switch and the traffic will fail.

The 18 bytes that make up the total extra overhead consist of:

• 6 bytes for the dest mac of the peer HA3 port
• 6 bytes for the src mac of HA3 port
• 2 bytes for the protocol number
• 4 bytes for an essential private field