Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
Focus
Focus

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Table of Contents

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

This Layer 3 interface example uses source NAT in Active/Active HA Mode. The Layer 2 switches create broadcast domains to ensure users can reach everything north and south of the firewalls.
PA-3050-1 has Device ID 0 and its HA peer, PA-3050-2, has Device ID 1. In this use case, NAT translates the source IP address and port number to the floating IP address configured on the egress interface. Each host is configured with a default gateway address, which is the floating IP address on Ethernet1/1 of each firewall. The configuration requires two source NAT rules, one bound to each Device ID, although you configure both NAT rules on a single firewall and they are synchronized to the peer firewall.
  1. On PA-3050-2 (Device ID 1), perform Step 1 through Step 3 of Configure Active/Active HA.
  2. Enable active/active HA.
    1. In
      Device
      High Availability
      General
      , edit Setup.
    2. Select
      Enable HA
      .
    3. Enter a
      Group ID
      , which must be the same for both firewalls. The firewall uses the Group ID to calculate the virtual MAC address (range is 1-63).
    4. For
      Mode
      , select
      Active Active
      .
    5. Set the
      Device ID
      to
      1
      .
    6. Select
      Enable Config Sync
      . This setting is required to synchronize the two firewall configurations (enabled by default).
    7. Enter the
      Peer HA1 IP Address
      , which is the IP address of the HA1 control link on the peer firewall.
    8. (
      Optional
      ) Enter a
      Backup Peer HA1 IP Address
      , which is the IP address of the backup control link on the peer firewall.
    9. Click
      OK
      .
  3. Complete Step 6 through Step 14.
    1. In
      Device
      High Availability
      Active/Active Config
      , edit Packet Forwarding.
    2. For
      Session Owner Selection
      , select
      First Packet
      —The firewall that receives the first packet of a new session is the session owner.
    3. For
      Session Setup
      , select
      IP Modulo
      —Distributes session setup load based on parity of the source IP address.
    4. Click
      OK
      .
  4. Configure an HA virtual address.
    1. Select
      Device
      High Availability
      Active/Active Config
      Virtual Address
      and click
      Add
      .
    2. Select
      Interface
      eth1/1.
    3. Select
      IPv4
      and
      Add
      an
      IPv4 Address
      of 10.1.1.101.
    4. For
      Type
      , select
      Floating
      , which configures the virtual IP address to be a floating IP address.
  5. Configure the floating IP address.
    1. Do not select
      Floating IP bound to the Active-Primary device
      .
    2. Select
      Failover address if link state is down
      to cause the firewall to use the failover address when the link state on the interface is down.
    3. Click
      OK
      .
  6. Commit
    the configuration.
  7. Configure the peer firewall, PA-3050-1 with the same settings, except for the following changes:
    • Select
      Device ID 0
      .
    • Configure an HA virtual address of 10.1.1.100.
    • For
      Device 1 Priority
      , enter 255. For
      Device 0 Priority
      , enter 0.
    In this example, Device ID 0 has a lower priority value so a higher priority; therefore, the firewall with Device ID 0 (PA-3050-1) owns the floating IP address 10.1.1.100.
  8. Still on PA-3050-1, create the source NAT rule for Device ID 0.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. Enter a
      Name
      for the rule that in this example identifies it as a source NAT rule for Device ID 0.
    3. For
      NAT Type
      , select
      ipv4
      (default).
    4. On the
      Original Packet
      , for
      Source Zone
      , select
      Any
      .
    5. For
      Destination Zone
      , select the zone you created for the external network.
    6. Allow
      Destination Interface
      ,
      Service
      ,
      Source Address
      , and
      Destination Address
      to remain set to
      Any
      .
    7. For the
      Translated Packet
      , select
      Dynamic IP And Port
      for
      Translation Type
      .
    8. For
      Address Type
      , select
      Interface Address
      , in which case the translated address will be the IP address of the interface. Select an
      Interface
      (eth1/1 in this example) and an
      IP Address
      of the floating IP address 10.1.1.100.
    9. On the
      Active/Active HA Binding
      tab, for
      Active/Active HA Binding
      , select
      0
      to bind the NAT rule to Device ID 0.
    10. Click
      OK
      .
  9. Create the source NAT rule for Device ID 1.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. Enter a
      Name
      for the policy rule that in this example helps identify it as a source NAT rule for Device ID 1.
    3. For
      NAT Type
      , select
      ipv4
      (default).
    4. On the
      Original Packet
      , for
      Source Zone
      , select
      Any
      . For
      Destination Zone
      , select the zone you created for the external network.
    5. Allow
      Destination Interface
      ,
      Service
      ,
      Source Address
      , and
      Destination Address
      to remain set to
      Any
      .
    6. For the
      Translated Packet
      , select
      Dynamic IP And Port
      for
      Translation Type
      .
    7. For
      Address Type
      , select
      Interface Address
      , in which case the translated address will be the IP address of the interface. Select an
      Interface
      (eth1/1 in this example) and an
      IP Address
      of the floating IP address 10.1.1.101.
    8. On the
      Active/Active HA Binding
      tab, for the
      Active/Active HA Binding
      , select
      1
      to bind the NAT rule to Device ID 1.
    9. Click
      OK
      .
  10. Commit
    the configuration.

Recommended For You