The different port numbers that are used in HA are:

The HA1 control link uses TCP 28769 and TCP 28260 for text communication that is clear between the HA peer firewalls. The HA1 link is a LAYER 3 link that necessitates the use of an IP address.

The HA1 control link uses TCP 28 to communicate securely (SSH over TCP) between HA peer firewalls.

For HA1 backup links, use TCP 28770 as a listening port.

TCP 28771 is used to backup heartbeats. If you use an in-band port for the HA1 or HA1 backup connections, Palo Alto Networks advises setting heartbeat backup on the MGT interface.

IP 99 and UDP 29281 synchronises sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in a HA pair via the HA2 link. The HA2 link's data flow is constantly constant. Data FLOWS unidirectionally from the ACTIVE FIREWALL (Active/Passive) or active-primary (Active/Active) to the passive firewall (Active/Passive) or active-secondary (Active/Active) on the HA2 link (save for the HA2 keep-alive). The HA2 link is a Layer 2 link that defaults to ether type 0x7261.

The HA data connection can also be configured to use IP (protocol number 99) or UDP (port 29281) as the transport, allowing it to cross subnets.