Palo Alto High Availability Heartbeat

Beside the HA1 and HA2 interfaces on a Palo Alto Networks firewall, there are the HA1/HA2 Backup and Heartbeat Backup options. I was a bit confused while reading the documentation of the high availability instructions since it did not clearly specify when and where to use the dedicated management port for what kind of “backup”.

Basically, it should read that there are two different ways on how to use the dedicated management for a HA Backup: the heartbeat backup OR the HA1 backup.

(The screenshots are from a PA-5050 with PAN-OS version 6.1.5 running. The official Palo Alto Networks links are here: High Availability Resources.)

I was confused because the Palo Alto documentation says about the heartbeat backup: “Uses the management ports on the HA devices to provide a backup path for heartbeat and hello messages. The management port IP address will be shared with the HA peer through the HA1 control link. No additional configuration is required.”

And for the HA1 backup, it says: “The recommended configuration for the HA control link connection is to use the dedicated HA1 link between the two devices and use the management port as the Control Link (HA Backup) interface. In this case, you do not need to enable the Heartbeat Backup option in the Elections Settings page.”

–> It was not clear for me, where to use the management port and when to enable the heartbeat backup.

Solution

The heartbeat backup option should only be used if the management interface is not used at HA1 or HA1 backup. Otherwise, the heartbeat backup should not be used.

The following two screenshots show the different options. Either the heartbeat backup is activated, or the HA1 backup link is the management interface:

In any case, the HA1 Backup bubble should be green:

Palo Alto HA - green bubbles

Note that the heartbeat backup is ONLY using heartbeat and hello messages, while the HA1/backup link does more: “Control Link: The HA1 link is used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing, and User-ID information. This link is also used to synchronize configuration changes on either the active or passive device with its peer.” –> Choose the option in which the managenent interface is the real HA1 backup and not only the heartbeat backup!

Supplement

Just while searching for all that HA stuff I found a list in the admin guide for version 6.1 that exactly describes when or when not to use the “heartbeat backup” option. 😉 On page 143 it lists (among others) this cases:

and:

Now it’s clear.

Leave a Reply

Your email address will not be published. Required fields are marked *