Which Ports Need to be Opened for PAN-OS in HA to Sync and Communicate?
30892
Created On 09/26/18 13:48 PM - Last Modified 04/20/20 23:38 PM
Resolution
Overview
The table below represents PAN-OS running as Panorama on a Palo Alto Networks M-100 or as a firewall on an appliance. These are the protocols and ports that a high availability pair will use, and therefore must be allowed by any filtering device that is in between the pair.
| Communicating Devices | Ports Used (5.0 and 5.1) | Ports Used (6.0 and 6.1) | Description |
|---|---|---|---|
| Panorama to Panorama HA | TCP/28, ICMP | TCP/28, ICMP | For HA connectivity and synchronization if encryption is enabled |
| TCP/28769, TCP/49160, ICMP | TCP/28769, TCP/28260, ICMP | For HA connectivity and synchronization if encryption is NOT enabled. | |
| PAN-OS HA1 | TCP/28 | TCP/28 | For HA connectivity and synchronization if encryption is enabled |
| TCP/28769 and TCP/49160 | TCP/28769 and TCP/28260 | For HA connectivity and synchronization if encryption is NOT enabled | |
| ICMP | ICMP | For heartbeat | |
| PAN-OS HA1-Backup | TCP/28770 and TCP/49160 | TCP/28770 and TCP/28260 | For HA connectivity and synchronization if encryption is NOT enabled |
| ICMP | ICMP | For heartbeat | |
| Heartbeat Backup through Management Port | TCP/28771 | TCP/28771 | Heartbeat backup |
| PAN-OS HA2 | Ethernet type 0x7261, IP protocol 99, or UDP/29281 | Ethernet type 0x7261, IP protocol 99, or UDP/29281 | HA session synchronization. Encryption is not supported. If data confidentiality and integrity is required, then a tunnel should be configured between the HA pair and routing should force the packets to use the tunnel. |
PAN-OS HA3 | Not applicable | Not applicable | A Palo Alto Networks Active-Active HA pair must have the dedicated HA3 ports directly connected. |
owner: jjosephs