Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Where Can I Use This?	What Do I Need?
NGFW (Managed by Strata Cloud Manager) NGFW (Managed by PAN-OS or Panorama)	For Strata Cloud Manager managed NGFWs: Strata Cloud Manager Pro

This Layer 3 interface example uses source NAT in Active/Active HA. The Layer 2 switches create broadcast domains to ensure users can reach everything north and south of the firewalls.

PA-3050-1 has Device ID 0 and its HA peer, PA-3050-2, has Device ID 1. In this use case, NAT translates the source IP address and port number to the floating IP address configured on the egress interface. Each host is configured with a default gateway address, which is the floating IP address on Ethernet1/1 of each firewall. The configuration requires two source NAT rules, one bound to each Device ID, although you configure both NAT rules on a single firewall and they are synchronized to the peer firewall.

1. On PA-3050-2 (Device ID 1), perform Step 1 through Step 3 of Configure Active/Active HA.
2. Enable active/active HA.

   1. In DeviceHigh AvailabilityGeneral, edit Setup.
   2. Select Enable HA.
   3. Enter a Group ID, which must be the same for both firewalls. The firewall uses the Group ID to calculate the virtual MAC address (range is 1-63).
   4. For Mode, select Active Active.
   5. Set the Device ID to 1.
   6. Select Enable Config Sync. This setting is required to synchronize the two firewall configurations (enabled by default).
   7. Enter the Peer HA1 IP Address, which is the IP address of the HA1 control link on the peer firewall.
   8. (Optional) Enter a Backup Peer HA1 IP Address, which is the IP address of the backup control link on the peer firewall.
   9. Click OK.
3. Configure Active/Active HA.

   Complete Step 6 through Step 14.
4. Configure Session Owner and Session Setup.

   1. In DeviceHigh AvailabilityActive/Active Config, edit Packet Forwarding.
   2. For Session Owner Selection, select First Packet—The firewall that receives the first packet of a new session is the session owner.
   3. For Session Setup, select IP Modulo—Distributes session setup load based on parity of the source IP address.
   4. Click OK.
5. Configure an HA virtual address.

   1. Select DeviceHigh AvailabilityActive/Active ConfigVirtual Address and click Add.
   2. Select Interface eth1/1.
   3. Select IPv4 and Add an IPv4 Address of 10.1.1.101.
   4. For Type, select Floating, which configures the virtual IP address to be a floating IP address.
6. Configure the floating IP address.

   1. Do not select Floating IP bound to the Active-Primary device.
   2. Select Failover address if link state is down to cause the firewall to use the failover address when the link state on the interface is down.
   3. Click OK.
7. Enable jumbo frames on firewalls other than the PA-7000 Series.
8. Define HA Failover Conditions.
9. Commit the configuration.
10. Configure the peer firewall, PA-3050-1 with the same settings, except for the following changes:

    • Select Device ID 0.
    • Configure an HA virtual address of 10.1.1.100.
    • For Device 1 Priority, enter 255. For Device 0 Priority, enter 0.

    In this example, Device ID 0 has a lower priority value so a higher priority; therefore, the firewall with Device ID 0 (PA-3050-1) owns the floating IP address 10.1.1.100.
11. Still on PA-3050-1, create the source NAT rule for Device ID 0.

    1. Select PoliciesNAT and click Add.
    2. Enter a Name for the rule that in this example identifies it as a source NAT rule for Device ID 0.
    3. For NAT Type, select ipv4 (default).
    4. On the Original Packet, for Source Zone, select Any.
    5. For Destination Zone, select the zone you created for the external network.
    6. Allow Destination Interface, Service, Source Address, and Destination Address to remain set to Any.
    7. For the Translated Packet, select Dynamic IP And Port for Translation Type.
    8. For Address Type, select Interface Address, in which case the translated address will be the IP address of the interface. Select an Interface (eth1/1 in this example) and an IP Address of the floating IP address 10.1.1.100.
    9. On the Active/Active HA Binding tab, for Active/Active HA Binding, select 0 to bind the NAT rule to Device ID 0.
    10. Click OK.
12. Create the source NAT rule for Device ID 1.

    1. Select PoliciesNAT and click Add.
    2. Enter a Name for the policy rule that in this example helps identify it as a source NAT rule for Device ID 1.
    3. For NAT Type, select ipv4 (default).
    4. On the Original Packet, for Source Zone, select Any. For Destination Zone, select the zone you created for the external network.
    5. Allow Destination Interface, Service, Source Address, and Destination Address to remain set to Any.
    6. For the Translated Packet, select Dynamic IP And Port for Translation Type.
    7. For Address Type, select Interface Address, in which case the translated address will be the IP address of the interface. Select an Interface (eth1/1 in this example) and an IP Address of the floating IP address 10.1.1.101.
    8. On the Active/Active HA Binding tab, for the Active/Active HA Binding, select 1 to bind the NAT rule to Device ID 1.
    9. Click OK.
13. Commit the configuration.