For those asking about cabling, there are some considerations First, there are some firewalls with dedicated HA1 and HA2 ports and they are labeled. Those have no further mistery, you just connect HA1 of FW1 to HA1 of FW2 and HA2 of FW1 to HA2 of FW2. For firewalls that have no dedicated HA ports, the best practice is to use the Management ports as HA1 (control) link. - The two main ways of doing this are 1. Directly connecting the Management interfaces of both NGFWs. Connecting MGMT of FW1 to MGMT of FW2 and set them both as HA1. 2. Connecting both Magament interfaces to a switch and still set them both as HA1. - Way 1. is simpler and may be better for smaller networks. Its greatest disadvantage is that you can no longer access the out of band Management port, you'd have to assign an in-band data interface as a Management one (ideally putting it in your separate administration network with its dedicated VLAN, etc...) Way 2. is the best for bigger, more complex networks. The only disadvantage it has is that the switch working as an intermediary for both Management/HA1 ports is a new point of failure. Ergo, if the switch fails, the HA fails. But this method allows you to still access the Management interfaces for management purposes as they keep the HA1 communication at the same time as you access them, they even use separate IPs for each task, its pretty much as if you had created a management subinterface for HA1. If concerned about traffic spoofing, you can enable encryption for the HA1 (control link) connection. - For HA2, in any of those 2 cases you just assign an in-band data port as HA type and set it up as HA2 in Device --> HA --> HA communications - Still, in my experience, the best thing to do is to just set up 2 data ports as HA type and use one for HA1 and the other for HA2, but I am not a Best Practice Expert, just a silly little dude.
@animal9470 There are some considerations. First, there are some Palo Alto NGFWs with dedicated HA1 and HA2 ports and they are labeled. Those have no further mistery, you just connect HA1 of FW1 to HA1 of FW2 and HA2 of FW1 to HA2 of FW2. For firewalls that have no dedicated HA ports, the best practice is to use the Management ports as HA1 (control) link. - The two main ways of doing this are 1. Directly connecting the Management interfaces of both NGFWs. Connecting MGMT of FW1 to MGMT of FW2 and set them both as HA1. 2. Connecting both Magament interfaces to a switch and still set them both as HA1. - Way 1. is simpler and may be better for smaller networks. Its greatest disadvantage is that you can no longer access the out of band Management port, you'd have to assign an in-band data interface as a Management one (ideally putting it in your separate administration network with its dedicated VLAN, etc...) Way 2. is the best for bigger, more complex networks. The only disadvantage it has is that the switch working as an intermediary for both Management/HA1 ports is a new point of failure. Ergo, if the switch fails, the HA fails. But this method allows you to still access the Management interfaces for management purposes as they keep the HA1 communication at the same time as you access them, they even use separate IPs for each task, its pretty much as if you had created a management subinterface for HA1. If concerned about traffic spoofing, you can enable encryption for the HA1 (control link) connection. - For HA2, in any of those 2 cases you just assign an in-band data port as HA type and set it up as HA2 in Device --> HA --> HA communications
For those asking about cabling, there are some considerations
First, there are some firewalls with dedicated HA1 and HA2 ports and they are labeled. Those have no further mistery, you just connect HA1 of FW1 to HA1 of FW2 and HA2 of FW1 to HA2 of FW2.
For firewalls that have no dedicated HA ports, the best practice is to use the Management ports as HA1 (control) link.
-
The two main ways of doing this are
1. Directly connecting the Management interfaces of both NGFWs. Connecting MGMT of FW1 to MGMT of FW2 and set them both as HA1.
2. Connecting both Magament interfaces to a switch and still set them both as HA1.
-
Way 1. is simpler and may be better for smaller networks. Its greatest disadvantage is that you can no longer access the out of band Management port, you'd have to assign an in-band data interface as a Management one (ideally putting it in your separate administration network with its dedicated VLAN, etc...)
Way 2. is the best for bigger, more complex networks. The only disadvantage it has is that the switch working as an intermediary for both Management/HA1 ports is a new point of failure. Ergo, if the switch fails, the HA fails.
But this method allows you to still access the Management interfaces for management purposes as they keep the HA1 communication at the same time as you access them, they even use separate IPs for each task, its pretty much as if you had created a management subinterface for HA1.
If concerned about traffic spoofing, you can enable encryption for the HA1 (control link) connection.
-
For HA2, in any of those 2 cases you just assign an in-band data port as HA type and set it up as HA2 in Device --> HA --> HA communications
-
Still, in my experience, the best thing to do is to just set up 2 data ports as HA type and use one for HA1 and the other for HA2, but I am not a Best Practice Expert, just a silly little dude.
From VietNam. Thankss
Wow! Your explanation is so clean and understandable! Thank you!
Awesome video with all relevant details!
Does the IPs listed in Peer HA1 matter if they are publicly routable If the pair are directly connected?
How should the interfaces be cabled up?
Should they connect to each other directly or via switches?
Can be connected directly between the two firewalls
Yes they can be connected directly to each other
What about cabling...
@animal9470
There are some considerations. First, there are some Palo Alto NGFWs with dedicated HA1 and HA2 ports and they are labeled. Those have no further mistery, you just connect HA1 of FW1 to HA1 of FW2 and HA2 of FW1 to HA2 of FW2.
For firewalls that have no dedicated HA ports, the best practice is to use the Management ports as HA1 (control) link.
-
The two main ways of doing this are
1. Directly connecting the Management interfaces of both NGFWs. Connecting MGMT of FW1 to MGMT of FW2 and set them both as HA1.
2. Connecting both Magament interfaces to a switch and still set them both as HA1.
-
Way 1. is simpler and may be better for smaller networks. Its greatest disadvantage is that you can no longer access the out of band Management port, you'd have to assign an in-band data interface as a Management one (ideally putting it in your separate administration network with its dedicated VLAN, etc...)
Way 2. is the best for bigger, more complex networks. The only disadvantage it has is that the switch working as an intermediary for both Management/HA1 ports is a new point of failure. Ergo, if the switch fails, the HA fails.
But this method allows you to still access the Management interfaces for management purposes as they keep the HA1 communication at the same time as you access them, they even use separate IPs for each task, its pretty much as if you had created a management subinterface for HA1.
If concerned about traffic spoofing, you can enable encryption for the HA1 (control link) connection.
-
For HA2, in any of those 2 cases you just assign an in-band data port as HA type and set it up as HA2 in Device --> HA --> HA communications