NAT in Active/Active HA Mode
In an active/active HA configuration:
You must bind each Dynamic IP (DIP) NAT rule and Dynamic
IP and Port (DIPP) NAT rule to either Device ID 0 or Device ID 1.
You must bind each static NAT rule to either Device ID 0,
Device ID 1, both Device IDs, or the firewall in active-primary
state.
Thus, when one of the firewalls creates a new session, the Device
ID 0 or Device ID 1 binding
determines which NAT rules match the firewall. The device binding
must include the session owner firewall to produce a match.
The session setup firewall performs the NAT policy match, but
the NAT rules are evaluated based on the session owner. That is,
the session is translated according to NAT rules that are bound
to the session owner firewall. While performing NAT policy matching,
a firewall skips all NAT rules that are not bound to the session
owner firewall.
For example, suppose the firewall with Device ID 1 is the session
owner and session setup firewall. When the firewall with Device
ID 1 tries to match a session to a NAT rule, it skips all rules
bound to Device ID 0. The firewall performs the NAT translation
only if the session owner and the Device ID in the NAT rule match.
You will typically create device-specific NAT rules when the
peer firewalls use different IP addresses for translation.
If one of the peer firewalls fails, the active firewall continues
to process traffic for synchronized sessions from the failed firewall,
including NAT traffic. In a source NAT configuration, when one firewall
fails:
The floating IP address that is used as the Translated
IP address of the NAT rule transfers to the surviving firewall.
Hence, the existing sessions that fail over will still use this
IP address.
All new sessions will use the device-specific NAT rules that
the surviving firewall naturally owns. That is, the surviving firewall
translates new sessions using only the NAT rules that match its
Device ID; it ignores any NAT rules bound to the failed Device ID.
For examples of active/active HA with NAT, see:
