this use case, both of the HA firewalls must respond to an ARP request
for the destination NAT address. Traffic can arrive at either firewall
from either WAN router in the untrust zone. Destination NAT translates
the public-facing, shared IP address to the private IP address of
the server. The configuration requires one destination NAT rule
bound to both Device IDs so that both firewalls can respond to ARP
On PA-3050-2 (Device ID 1), perform Step 1 through Step 3.
Enable active/active HA.
, which must
be the same for both firewalls. The firewall uses the Group ID to
calculate the virtual MAC address (range is 1-63).
) Enter a
Enable Config Sync
This setting is required to synchronize the two firewall configurations
(enabled by default).
Peer HA1 IP Address
which is the IP address of the HA1 control link on the peer firewall.
) Enter a
HA1 IP Address
, which is the IP address of the backup
control link on the peer firewall.