In a Layer 3 interface deployment and active/active
HA configuration, ARP load-sharing allows the firewalls to share
an IP address and provide gateway services. Use ARP load-sharing
only when no Layer 3 device exists between the firewall and end
hosts, that is, when end hosts use the firewall as their default
gateway.
In such a scenario, all hosts are configured with a single gateway
IP address. One of the firewalls responds to ARP requests for the
gateway IP address with its virtual MAC address. Each firewall has
a unique virtual MAC address generated for the shared IP address.
The load-sharing algorithm that controls which firewall will respond
to the ARP request is configurable; it is determined by computing
the hash or modulo of the source IP address of the ARP request.
After the end host receives the ARP response from the gateway,
it caches the MAC address and all traffic from the host is routed
via the firewall that responded with the virtual MAC address for
the lifetime of the ARP cache. The lifetime of the ARP cache depends
on the end host operating system.
If a link or firewall fails, the floating IP address and virtual
MAC address move over to the functional firewall. The functional
firewall sends gratuitous ARPs to update the MAC table of the connected
switches to redirect traffic from the failed firewall to itself.
See Use
Case: Configure Active/Active HA with ARP Load-Sharing.
You can configure interfaces on the WAN side of the HA firewalls
with floating IP addresses, and configure interfaces on the LAN
side of the HA firewalls with a shared IP address for ARP load-sharing.
For example, the figure below illustrates floating IP addresses
for the upstream WAN edge routers and an ARP load-sharing address
for the hosts on the LAN segment.
As illustrated in the floating IP address scenario, the firewall
supports a shared IP address for ARP load-sharing only on the LAN side of the firewall;
the shared IP address cannot be on the WAN side.