Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT

Where Can I Use This?	What Do I Need?
NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama)	For Strata Cloud Manager managed NGFWs: Strata Cloud Manager Pro

This Layer 3 interface example uses NAT in Active/Active HA and ARP Load-Sharing with destination NAT. Both HA firewalls respond to an ARP request for the destination NAT address with the ingress interface MAC address. Destination NAT translates the public, shared IP address (in this example, 10.1.1.200) to the private IP address of the server (in this example, 192.168.2.200).

When the HA firewalls receive traffic for the destination 10.1.1.200, both firewalls could possibly respond to the ARP request, which could cause network instability. To avoid the potential issue, configure the firewall that is in active-primary state to respond to the ARP request by binding the destination NAT rule to the active-primary firewall.

1. On PA-3050-2 (Device ID 1), perform Step 1 through Step 3 of Configure Active/Active HA.
2. Enable active/active HA.

   1. In DeviceHigh AvailabilityGeneral, edit Setup.
   2. Select Enable HA.
   3. Enter a Group ID, which must be the same for both firewalls. The firewall uses the Group ID to calculate the virtual MAC address (range is 1 to 63).
   4. (Optional) Enter a Description.
   5. For Mode, select Active Active.
   6. Select Device ID to be 1.
   7. Select Enable Config Sync. This setting is required to synchronize the two firewall configurations (enabled by default).
   8. Enter the Peer HA1 IP Address, which is the IP address of the HA1 control link on the peer firewall.
   9. (Optional) Enter a Backup Peer HA1 IP Address, which is the IP address of the backup control link on the peer firewall.
   10. Click OK.
3. Perform Step 6 through Step 15 in Configure Active/Active HA.
4. Configure an HA virtual address.

   1. Select DeviceHigh AvailabilityActive/Active ConfigVirtual Address and click Add.
   2. Select Interface eth1/1.
   3. Select IPv4 and Add an IPv4 Address of 10.1.1.200.
   4. For Type, select ARP Load Sharing, which configures the virtual IP address to be for both peers to use for ARP Load-Sharing.
5. Configure ARP Load-Sharing.

   The device selection algorithm determines which HA firewall responds to the ARP requests to provide load sharing.

   1. For Device Selection Algorithm, select IP Modulo. The firewall that will respond to ARP requests is based on the parity of the ARP requester's IP address.
   2. Click OK.
6. Enable jumbo frames on firewalls other than the PA-7000 Series.
7. Define HA Failover Conditions.
8. Commit the configuration.
9. Configure the peer firewall, PA-3050-1 (Device ID 0), with the same settings, except in Step 2 select Device ID 0.
10. Still on PA-3050-1 (Device ID 0), create the destination NAT rule so that the active-primary firewall responds to ARP requests.

    1. Select PoliciesNAT and click Add.
    2. Enter a Name for the rule that, in this example, identifies it as a destination NAT rule for Layer 2 ARP.
    3. For NAT Type, select ipv4 (default).
    4. On the Original Packet, for Source Zone, select Any.
    5. For Destination Zone, select the Untrust zone you created for the external network.
    6. Allow Destination Interface, Service, and Source Address to remain set to Any.
    7. For Destination Address, specify 10.1.1.200.
    8. For the Translated Packet, Source Address Translation remains None.
    9. For Destination Address Translation, enter the private IP address of the destination server, in this example, 192.168.1.200.
    10. On the Active/Active HA Binding tab, for Active/Active HA Binding, select primary to bind the NAT rule to the firewall in active-primary state.
    11. Click OK.
11. Commit the configuration.