Configure Active/Active HA
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 9.1 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
-
- Apply Tags to an Application Filter
- Create Custom Application Tags
- Workflow to Best Incorporate New and Modified App-IDs
- See the New and Modified App-IDs in a Content Release
- See How New and Modified App-IDs Impact Your Security Policy
- Ensure Critical New App-IDs are Allowed
- Monitor New App-IDs
- Disable and Enable App-IDs
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
- Set Up File Blocking
- Prevent Brute Force Attacks
- Customize the Action and Trigger Conditions for a Brute Force Signature
- Enable Evasion Signatures
- Monitor Blocked IP Addresses
- Threat Signature Categories
- Create Threat Exceptions
- Custom Signatures
- Threat Prevention Resources
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Decryption Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- High Availability Support for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
-
- How Decryption Broker Works
- Layer 3 Security Chain Guidelines
- Configure Decryption Broker with One or More Layer 3 Security Chain
- Transparent Bridge Security Chain Guidelines
- Configure Decryption Broker with a Single Transparent Bridge Security Chain
- Configure Decryption Broker with Multiple Transparent Bridge Security Chains
- Activate Free Licenses for Decryption Features
-
- About Palo Alto Networks URL Filtering Solution
- How Advanced URL Filtering Works
- URL Filtering Use Cases
- Plan Your URL Filtering Deployment
- URL Filtering Best Practices
- Activate The Advanced URL Filtering Subscription
- Configure URL Filtering
- Test URL Filtering Configuration
- Log Only the Page a User Visits
- Create a Custom URL Category
- URL Category Exceptions
- Use an External Dynamic List in a URL Filtering Profile
- Allow Password Access to Certain Sites
- URL Filtering Response Pages
- Customize the URL Filtering Response Pages
- HTTP Header Logging
- Request to Change the Category for a URL
-
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Use Interface Management Profiles to Restrict Access
- Virtual Routers
- Service Routes
- RIP
- Route Redistribution
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
End-of-Life (EoL)
Configure Active/Active HA
The following procedure describes the basic
workflow for configuring your firewalls in an active/active configuration.
However, before you begin, Determine
Your Active/Active Use Case for configuration examples more
tailored to your specific network environment.
You can configure data ports as both dedicated HA interfaces and as dedicated
backup HA interfaces, and is required for firewalls without dedicated HA
interfaces.
Data ports configured as HA1, HA2, or HA3 interfaces can be connected directly to
each HA interface on the firewall or connected through a Layer2 switch. For data
ports configured as an HA3 interface, you must enable jumbo frames as HA3
messages exceed 1,500 bytes.
To configure active/active, first complete the
following steps on one peer and then complete them on the second
peer, ensuring that you set the Device ID to different values (0
or 1) on each peer.
- Connect
the HA ports to set up a physical connection between the firewalls.For each use case, the firewalls could be any hardware model; choose the HA3 step that corresponds with your model.
- For firewalls with dedicated HA ports, use an Ethernet cable to connect the dedicated HA1 ports and the HA2 ports on peers. Use a crossover cable if the peers are directly connected to each other.
- For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and the backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across both firewalls. Use the management port for the HA1 link and ensure that the management ports can connect to each other across your network.
- For HA3:
- On PA-7000 Series firewalls, connect the High Speed Chassis Interconnect (HSCI-A) on the first chassis to the HSCI-A on the second chassis, and the HSCI-B on the first chassis to the HSCI-B on the second chassis.
- On PA-5200 Series firewalls (which have one HSCI port), connect the HSCI port on the first chassis to the HSCI port on the second chassis. You can also use data ports for HA3 on PA-5200 Series firewalls.
- On PA-3200 Series firewalls (which have one HSCI port), connect the HSCI port on the first chassis to the HSCI port on the second chassis.
- On any other hardware model, use dataplane interfaces for HA3.
- Enable ping on the management port.Enabling ping allows the management port to exchange heartbeat backup information.
- In DeviceSetupManagement, edit Management Interface Settings.
- Select Ping as a service that is permitted on the interface.
- If the
firewall does not have dedicated HA ports, set up the data ports
to function as HA ports.For firewalls with dedicated HA ports continue to the next step.
- Select NetworkInterfaces.
- Confirm that the link is up on the ports that you want to use.
- Select the interface and set Interface Type to HA.
- Set the Link Speed and Link Duplex settings, as appropriate.
- Enable active/active HA and set the group ID.
- In DeviceHigh AvailabilityGeneral, edit Setup.
- Select Enable HA.
- Enter a Group ID, which must be the same for both firewalls. The firewall uses the Group ID to calculate the virtual MAC address (range is 1-63).
- (Optional) Enter a Description.
- For Mode, select Active Active.
- Set the
Device ID, enable synchronization, and identify the control link
on the peer firewall
- In DeviceHigh AvailabilityGeneral, edit Setup.
- Select Device ID as follows:
- When configuring the first peer, set the Device ID to 0.
- When configuring the second peer, set the Device ID to 1.
- Select Enable Config Sync. This setting is required to synchronize the two firewall configurations (enabled by default).
- Enter the Peer HA1 IP Address, which is the IP address of the HA1 control link on the peer firewall.
- (Optional) Enter a Backup Peer HA1 IP Address, which is the IP address of the backup control link on the peer firewall.
- Click OK.
- Determine
whether or not the firewall with the lower Device ID preempts the
active-primary firewall upon recovery from a failure.
- In DeviceHigh AvailabilityGeneral, edit Election Settings.
- Select Preemptive to cause
the firewall with the lower Device ID to automatically resume active-primary
operation after either firewall recovers from a failure. Both firewalls
must have Preemptive selected for preemption
to occur.Leave Preemptive unselected if you want the active-primary role to remain with the current firewall until you manually make the recovered firewall the active-primary firewall.
- Enable
heartbeat backup if your control link uses a dedicated HA port or
an in-band port.You need not enable heartbeat backup if you are using the management port for the control link.
- In DeviceHigh AvailabilityGeneral, edit Election Settings.
- Select Heartbeat Backup.To allow the heartbeats to be transmitted between the firewalls, you must verify that the management port across both peers can route to each other.Enabling heartbeat backup allows you to prevent a split-brain situation. Split brain occurs when the HA1 link goes down, causing the firewall to miss heartbeats, although the firewall is still functioning. In such a situation, each peer believes the other is down and attempts to start services that are running, thereby causing a split brain. Enabling heartbeat backup prevents split brain because redundant heartbeats and hello messages are transmitted over the management port.
- (Optional) Modify the HA
Timers.By default, the HA timer profile is set to the Recommended profile and is suited for most HA deployments.
- In DeviceHigh AvailabilityGeneral, edit Election Settings.
- Select Aggressive to trigger
faster failover. Select Advanced to define
custom values for triggering failover in your setup.To view the preset value for an individual timer included in a profile, select Advanced and click Load Recommended or Load Aggressive. The preset values for your hardware model will be displayed on screen.
- Set up the control link connection.This example uses an in-band port that is set to interface type HA.For firewalls that use the management port as the control link, the IP address information is automatically pre-populated.
- In DeviceHigh AvailabilityGeneral, edit Control Link (HA1).
- Select the Port that you have cabled for use as the HA1 link.
- Set the IPv4/IPv6 Address and Netmask.If the HA1 interfaces are on separate subnets, enter the IP address of the Gateway. Do not add a gateway address if the firewalls are directly connected.
- (Optional) Enable encryption for the control
link connection.This is typically used to secure the link if the two firewalls are not directly connected, that is if the ports are connected to a switch or a router.
- Export the HA key from one firewall and
import it into the peer firewall.
- Select DeviceCertificate ManagementCertificates.
- Select Export HA key. Save the HA key to a network location that the peer can access.
- On the peer firewall, select DeviceCertificate ManagementCertificates, and select Import HA key to browse to the location that you saved the key and import it in to the peer.
- In DeviceHigh AvailabilityGeneral, edit the Control Link (HA1).
- Select Encryption Enabled.If you enable encryption, after you finish configuring the HA firewalls, you can Refresh HA1 SSH Keys and Configure Key Options.
- Export the HA key from one firewall and
import it into the peer firewall.
- Set up the backup control link connection.
- In DeviceHigh AvailabilityGeneral, edit Control Link (HA1 Backup).
- Select the HA1 backup interface and set the IPv4/IPv6
Address and Netmask.PA-3200 Series firewalls don’t support an IPv6 address for the HA1 backup control link; use an IPv4 address.
- Set up the data link connection (HA2) and the backup
HA2 connection between the firewalls.
- In DeviceHigh AvailabilityGeneral, edit Data Link (HA2).
- Select the Port to use for the data link connection.
- Select the Transport method. The default is ethernet, and will work when the HA pair is connected directly or through a switch. If you need to route the data link traffic through the network, select IP or UDP as the transport mode.
- If you use IP or UDP as the transport method, enter the IPv4/IPv6 Address and Netmask.
- Verify that Enable Session Synchronization is selected.
- Select HA2 Keep-alive to enable
monitoring on the HA2 data link between the HA peers. If a failure
occurs based on the threshold that is set (default is 10000 ms),
the defined action will occur. When an HA2 Keep-alive failure occurs,
the system either generates a critical system log message or causes
a split dataplane depending on your configuration.You can configure the HA2 Keep-alive option on both firewalls, or just one firewall in the HA pair. If the option is only enabled on one firewall, only that firewall sends the Keep-alive messages. The other firewall is notified if a failure occurs.A split dataplane causes the dataplanes of both peers to operate independently while leaving the high-available state as Active-Primary and Active-Secondary. If only one firewall is configured to split dataplane, then split dataplane applies to the other device as well.
- Edit the Data Link (HA2 Backup) section, select the interface, and add the IPv4/IPv6 Address and Netmask.
- Click OK.
- Configure the HA3 link for packet forwarding.
- In DeviceHigh AvailabilityActive/Active Config, edit Packet Forwarding.
- For HA3 Interface, select the interface you want to use to forward packets between active/active HA peers. It must be a dedicated interface capable of Layer 2 transport and set to Interface Type HA.
- Select VR Sync to force synchronization of all virtual routers configured on the HA peers. Select when the virtual router is not configured for dynamic routing protocols. Both peers must be connected to the same next-hop router through a switched network and must use static routing only.
- Select QoS Sync to synchronize the QoS profile selection on all physical interfaces. Select when both peers have similar link speeds and require the same QoS profiles on all physical interfaces. This setting affects the synchronization of QoS settings on the Network tab. QoS policy is synchronized regardless of this setting.
- (Optional)
Modify the Tentative Hold time.
- In DeviceHigh AvailabilityActive/Active Config, edit Packet Forwarding.
- For Tentative Hold Time (sec), enter the number of seconds that a firewall stays in Tentative state after it recovers post-failure (range is 10-600, default is 60).
- Configure Session
Owner and Session
Setup.
- In DeviceHigh AvailabilityActive/Active Config, edit Packet Forwarding.
- For Session Owner Selection,
select one of the following:
- First Packet—The firewall that receives the first packet of a new session is the session owner (recommended setting). This setting minimizes traffic across HA3 and load shares traffic across peers.
- Primary Device—The firewall that is in active-primary state is the session owner.
- For Session Setup, select one
of the following:
- IP Modulo—The firewall performs an XOR operation on the source and destination IP addresses from the packet and based on the result, the firewall chooses which HA peer will set up the session.
- Primary Device—The active-primary firewall sets up all sessions.
- First Packet—The firewall that receives the first packet of a new session performs session setup (recommended setting).Start with First Packet for Session Owner and Session Setup, and then based on load distribution, you can change to one of the other options.
- IP Hash—The firewall uses a hash of either the source IP address or a combination of the source and destination IP addresses to distribute session setup responsibilities.
- Click OK.
- Configure an HA virtual address.You need a virtual address to use a Floating IP Address and Virtual MAC Address or ARP Load-Sharing.
- In DeviceHigh AvailabilityActive/Active Config, Add a Virtual Address.
- Enter or select an Interface.
- Select the IPv4 or IPv6 tab and click Add.
- Enter an IPv4 Address or IPv6 Address.
- For Type:
- Select Floating to configure the virtual IP address to be a floating IP address.
- Select ARP Load Sharing to configure the virtual IP address to be a shared IP address and skip toConfigure ARP Load-Sharing.
- Configure the floating IP address.
- Do not select Floating IP bound to the Active-Primary device unless you want the active/active HA pair to behave like an active/passive HA pair.
- For Device 0 Priority and Device 1 Priority, enter a priority for the firewall configured with Device ID 0 and Device ID 1, respectively. The relative priorities determine which peer owns the floating IP address you just configured (range is 0-255). The firewall with the lowest priority value (highest priority) owns the floating IP address.
- Select Failover address if link state is down to cause the firewall to use the failover address when the link state on the interface is down.
- Click OK.
- Configure ARP
Load-Sharing.The device selection algorithm determines which HA firewall responds to the ARP requests to provide load sharing.
- For Device Selection Algorithm,
select one of the following:
- IP Modulo—The firewall that will respond to ARP requests is based on the parity of the ARP requester's IP address.
- IP Hash—The firewall that will respond to ARP requests is based on a hash of the ARP requester's IP address.
- Click OK.
- For Device Selection Algorithm,
select one of the following:
- Define HA Failover Conditions.
- Commit the configuration.