How to Configure HA Backup Links
40098
Created On 09/25/18 17:58 PM - Last Modified 02/01/25 00:30 AM
Environment
Pair of identical Palo Alto Networks firewalls
Procedure
You can configure the HA-Backup Links from the Web UI or the CLI. See below for steps on both.
From the Web UI
- Identify which physical interfaces on the firewall will be used as HA1, HA1-Backup, HA2, and HA2-Backup links. See HA Ports on Palo Alto Networks Firewalls and HA Active/Passive Best Practices for guidance
- Go to Device > High Availability > HA Communications > click Edit on HA1 Backup
Repeat the steps above for the HA1, HA1-Backup, HA2, and HA2-Backup links
Note: If you plan to use a data interface as an HA interface, you must first change that data interface to be Interface Type of HA. To do this, navigate to Network > Interfaces > edit Interface > change Interface Type to HA:
Note: For firewalls without dedicated HA interfaces, such as the PA-200 and PA-400 Series, it is required to configure a data port as a HA interface.
- Type an IP Address, Netmask, and Gateway
- Perform a Commit
From the CLI
- Run the configure command to enter the configuration mode
> configure
- Use the set command to configure the <ha1-backup or ha2-backup> port, ip-address, netmask, and gateway
set deviceconfig high-availability interface ha1-backup port ethernet1/7 set deviceconfig high-availability interface ha1-backup ip-address 192.168.1.10 set deviceconfig high-availability interface ha1-backup netmask 255.255.255.0 set deviceconfig high-availability interface ha1-backup gateway 192.168.1.1
- Run commit to commit the changes
NOTE: To verify changes see Additional Notes
Additional Information
HA Communications
HA Links and Backup Links
HA Ports on Palo Alto Networks Firewalls
To Verify Changes
- (Optional) For easier viewing change config-output-format to set
> set cli config-output-format set
- Enter configure mode
> configure
- Use show command to view changes
# show deviceconfig high-availability interface ha1-backup set deviceconfig high-availability interface ha1-backup port ethernet1/7 set deviceconfig high-availability interface ha1-backup ip-address 192.168.1.10 set deviceconfig high-availability interface ha1-backup netmask 255.255.255.0 set deviceconfig high-availability interface ha1-backup gateway 192.168.1.1 # show deviceconfig high-availability interface ha2-backup set deviceconfig high-availability interface ha2-backup port ethernet1/8 set deviceconfig high-availability interface ha2-backup ip-address 192.168.2.10 set deviceconfig high-availability interface ha2-backup netmask 255.255.255.0 set deviceconfig high-availability interface ha2-backup gateway 192.168.2.1
The HA1-Backup and HA2-Backup links provide redundancy for the HA1 and the HA2 links. In-band ports can be used for backup links for both HA1 and HA2 connections when dedicated backup links are not available. Consider the following guidelines when configuring backup HA links:
- The IP addresses of the primary and backup HA links must not overlap each other.
- HA backup links must be on a different subnet from the primary HA links.
- HA1-backup and HA2-backup ports must be configured on separate physical ports. The HA1-backup link uses port 28770 and 28260.
- PA-3200 Series firewalls don’t support an IPv6 address for the HA1-backup link; use an IPv4 address.
For additional guidance, refer to High Availability - HA Heartbeat Backup