Use Case: Configure Active/Active HA with ARP Load-Sharing

Where Can I Use This?	What Do I Need?
NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama)	For Strata Cloud Manager managed NGFWs: Strata Cloud Manager Pro

In this example, hosts in a Layer 3 deployment need gateway services from the HA firewalls. The firewalls are configured with a single shared IP address, which allows ARP Load-Sharing. The end hosts are configured with the same gateway, which is the shared IP address of the HA firewalls.

1. Configure Active/Active HA.

   Perform Step 1 through Step 15.
2. Configure an HA virtual address.

   The virtual address is the shared IP address that allows ARP Load-Sharing.

   1. Select DeviceHigh AvailabilityActive/Active ConfigVirtual Address and click Add.
   2. Enter or select an Interface.
   3. Select the IPv4 or IPv6 tab and click Add.
   4. Enter an IPv4 Address or IPv6 Address.
   5. For Type, select ARP Load Sharing, which allows both peers to use the virtual IP address for ARP Load-Sharing.
3. Configure ARP Load-Sharing.

   The device selection algorithm determines which HA firewall responds to the ARP requests to provide load sharing.

   1. For Device Selection Algorithm, select one of the following:

      • IP Modulo—The firewall that will respond to ARP requests is based on the parity of the ARP requester's IP address.
      • IP Hash—The firewall that will respond to ARP requests is based on a hash of the ARP requester's IP address.
   2. Click OK.
4. Enable jumbo frames on firewalls other than PA-7000 Series firewalls.
5. Define HA Failover Conditions
6. Commit the configuration.
7. Configure the peer firewall in the same way, except selecting a different Device ID.

   For example, if you selected Device ID 0 for the first firewall, select Device ID 1 for the peer firewall.