>
    Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. High Availability
    4. Set Up Active/Active HA
    5. Determine Your Active/Active Use Case
    6. Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
    Download PDF

    Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

    Table of Contents

    Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

    If you want to use IP address pools for source NAT in Active/Active HA Mode, each firewall must have its own pool, which you then bind to a Device ID in a NAT rule.
    Address objects and NAT rules are synchronized (in both active/passive and active/active mode), so they need to be configured on only one of the firewalls in the HA pair.
    This example configures an address object named Dyn-IP-Pool-dev0 containing the IP address pool 10.1.1.140-10.1.1.150. It also configures an address object named Dyn-IP-Pool-dev1 containing the IP address pool 10.1.1.160-10.1.1.170. The first address object is bound to Device ID 0; the second address object is bound to Device ID 1.
    1. On one HA firewall, create address objects.
      1. Select ObjectsAddresses and Add an address object Name, in this example, Dyn-IP-Pool-dev0.
      2. For Type, select IP Range and enter the range 10.1.1.140-10.1.1.150.
      3. Click OK.
      4. Repeat this step to configure another address object named Dyn-IP-Pool-dev1 with the IP Range of 10.1.1.160-10.1.1.170.
    2. Create the source NAT rule for Device ID 0.
      1. Select PoliciesNAT and Add a NAT policy rule with a Name, for example, Src-NAT-dev0.
      2. For Original Packet, for Source Zone, select Any.
      3. For Destination Zone, select the destination zone for which you want to translate the source address, such as Untrust.
      4. For Translated Packet, for Translation Type, select Dynamic IP and Port.
      5. For Translated Address, Add the address object you created for the pool of addresses belonging to Device ID 0: Dyn-IP-Pool-dev0.
      6. For Active/Active HA Binding, select 0 to bind the NAT rule to Device ID 0.
      7. Click OK.
    3. Create the source NAT rule for Device ID 1.
      1. Select PoliciesNAT and Add a NAT policy rule with a Name, for example, Src-NAT-dev1.
      2. For Original Packet, for Source Zone, select Any.
      3. For Destination Zone, select the destination zone for which you want to translate the source address, such as Untrust.
      4. For Translated Packet, for Translation Type, select Dynamic IP and Port.
      5. For Translated Address, Add the address object you created for the pool of addresses belonging to Device ID 1: Dyn-IP-Pool-dev1.
      6. For Active/Active HA Binding, select 1 to bind the NAT rule to Device ID 1.
      7. Click OK.
    4. Commit the configuration.

    © 2025 Palo Alto Networks, Inc. All rights reserved.