Use Case: Configure Active/Active HA with ARP Load-Sharing
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Use Case: Configure Active/Active HA with ARP Load-Sharing
In this example, hosts in a Layer 3 deployment
need gateway services from the HA firewalls. The firewalls are configured
with a single shared IP address, which allows ARP
Load-Sharing. The end hosts are configured with the same
gateway, which is the shared IP address of the HA firewalls.
- Perform Step 1 through Step 15 of Configure Active/Active HA.Configure an HA virtual address.The virtual address is the shared IP address that allows ARP Load-Sharing.
- Select DeviceHigh AvailabilityActive/Active ConfigVirtual Address and click Add.Enter or select an Interface.Select the IPv4 or IPv6 tab and click Add.Enter an IPv4 Address or IPv6 Address.For Type, select ARP Load Sharing, which allows both peers to use the virtual IP address for ARP Load-Sharing.Configure ARP Load-Sharing.The device selection algorithm determines which HA firewall responds to the ARP requests to provide load sharing.
- For Device Selection Algorithm, select one of the following:
- IP Modulo—The firewall that will respond to ARP requests is based on the parity of the ARP requester's IP address.
- IP Hash—The firewall that will respond to ARP requests is based on a hash of the ARP requester's IP address.
Click OK.Enable jumbo frames on firewalls other than PA-7000 Series firewalls.Define HA Failover ConditionsCommit the configuration.Configure the peer firewall in the same way, except selecting a different Device ID.For example, if you selected Device ID 0 for the first firewall, select Device ID 1 for the peer firewall.