Floating IP Address and Virtual MAC Address
Focus
Focus

Floating IP Address and Virtual MAC Address

Table of Contents

Floating IP Address and Virtual MAC Address

In a Layer 3 active/active HA deployment, floating IP addresses and virtual MAC addresses provide persistent connections even during firewall failures. They move to the functioning firewall when failure occurs, maintaining services like VPNs and NAT.
In a Layer 3 deployment of HA active/active mode, you can assign floating IP addresses, which move from one HA firewall to the other if a link or firewall fails. The interface on the firewall that owns the floating IP address responds to ARP requests with a virtual MAC address.
Floating IP addresses are recommended when you need functionality such as Virtual Router Redundancy Protocol (VRRP). Floating IP addresses can also be used to implement VPNs and source NAT, allowing for persistent connections when a firewall offering those services fails.
As shown in the figure below, each HA firewall interface has its own IP address and floating IP address. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure. You configure the end hosts to use a floating IP address as its default gateway, allowing you to load balance traffic to the two HA peers. You can also use external load balancers to load balance traffic.
If a link or firewall fails or a path monitoring event causes a failover, the floating IP address and virtual MAC address move over to the functional firewall. (In the figure below, each firewall has two floating IP addresses and virtual MAC addresses; they all move over if the firewall fails.) The functioning firewall sends a gratuitous ARP to update the MAC tables of the connected switches to inform them of the change in floating IP address and MAC address ownership to redirect traffic to itself.
After the failed firewall recovers, by default the floating IP address and virtual MAC address move back to firewall with the Device ID [0 or 1] to which the floating IP address is bound. More specifically, after the failed firewall recovers, it comes on line. The currently active firewall determines that the firewall is back online and checks whether the floating IP address it is handling belongs natively to itself or the other firewall. If the floating IP address was originally bound to the other Device ID, the firewall automatically gives it back. (For an alternative to this default behavior, see Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall.)
Each firewall in the HA pair creates a virtual MAC address for each of its interfaces that has a floating IP address or ARP Load-Sharing IP address.
The format of the virtual MAC address on PA-7000, PA-7000b, PA-5400, PA-5200, PA-3200 Series, and CN-Series firewalls is B4-0C-25-XX-YY-ZZ, where B4-0C-25 is the vendor ID (of Palo Alto Networks in this case), and the next 24 bits indicate the Device ID, Group ID and Interface ID as follows:
7 6 543 2 1 0 7 65 4 3 21 0 7 6 5 4 3 2 1 0
111Device-IDGroup-ID0000Interface-ID
The following graphic provides an example. Suppose the HA firewall has an Interface ID of 66. The number 66 in binary is 01000010. The Firewall Info row of the pink section shows the rightmost ten bit positions have a 1 in the 64 (binary) column and a 1 in the 2 (binary) column, totaling 66, and two leading zeroes. The green section contains fixed zeroes. Now suppose the firewall Group ID is 58. The number 58 in binary is 111010, as shown in the Firewall Info row of the purple section. Finally, suppose the Device ID is 1, as shown in the Firewall Info row of the blue section. The Firewall Info row of the yellow section contains fixed ones. When you look at the full string of bits, starting from the left, the orange octet totals 254 (decimal), the pale blue octet totals 128 (decimal), and the bright green octet totals 66 (decimal). Converting decimal to hex, we have FE-80-42. Therefore, the full virtual MAC address including the Palo Alto Networks vendor ID is B4-0C-25-FE-80-42.
The format of the virtual MAC address on the remaining firewall models is 00-1B-17-00-xx-yy, where 00-1B-17 is the vendor ID (of Palo Alto Networks in this case), 00 is fixed, xx indicates the Device ID and Group ID as shown in the following figure, and yy is the Interface ID:
765 4 3 2 1 07 6 5 4 3 2 1 0
Device-ID0Group-IDInterface-ID
When a new active firewall takes over, it sends gratuitous ARPs from each of its connected interfaces to inform the connected Layer 2 switches of the new location of the virtual MAC address. To configure floating IP addresses, see Use Case: Configure Active/Active HA with Floating IP Addresses.