you should always set HA2 as without session sync failovers are dramatic.
It is the core reason to have a cluster in the first place: seamless failover
Without ha2 you can just as well set up 2 standalone devices and do ospf or install a load balancer ;) )
there is no recommendation to have HA2-backup in the panw best practices (also not one for HA1-backup, but please take my word that this is a must, you can use the mgmt interface if no physical interface is available))
HA2 allows the primary member of a cluster to share its state table, which allows the standby firewall to "continue" all existing sessions if there's a failover.HA2 backup is simply a backup link in case the primary HA2 link goes down, so the cluster can keep sharing the state table.From a redundancy perspective I would prioritize setting a HA1 backup (as this prevents split brain) and if you need to tick a (compliancy) box, add HA2
you should always set HA2 as without session sync failovers are dramatic.
It is the core reason to have a cluster in the first place: seamless failover
Without ha2 you can just as well set up 2 standalone devices and do ospf or install a load balancer ;) )
there is no recommendation to have HA2-backup in the panw best practices (also not one for HA1-backup, but please take my word that this is a must, you can use the mgmt interface if no physical interface is available))
HA2 allows the primary member of a cluster to share its state table, which allows the standby firewall to "continue" all existing sessions if there's a failover. HA2 backup is simply a backup link in case the primary HA2 link goes down, so the cluster can keep sharing the state table. From a redundancy perspective I would prioritize setting a HA1 backup (as this prevents split brain) and if you need to tick a (compliancy) box, add HA2