Use Case: Configure Active/Active HA for ARP Load-Sharing
with Destination NAT
This Layer 3 interface example uses NAT in Active/Active HA Mode and ARP Load-Sharing with destination NAT.
Both HA firewalls respond to an ARP request for the destination
NAT address with the ingress interface MAC address. Destination
NAT translates the public, shared IP address (in this example, 10.1.1.200)
to the private IP address of the server (in this example, 192.168.2.200).
the HA firewalls receive traffic for the destination 10.1.1.200,
both firewalls could possibly respond to the ARP request, which
could cause network instability. To avoid the potential issue, configure
the firewall that is in active-primary state to respond to the ARP
request by binding the destination NAT rule to the active-primary
On PA-3050-2 (Device ID 1), perform Step 1 through Step 3
, which must
be the same for both firewalls. The firewall uses the Group ID to
calculate the virtual MAC address (range is 1-63).
) Enter a
Enable Config Sync
This setting is required to synchronize the two firewall configurations
(enabled by default).
Peer HA1 IP Address
which is the IP address of the HA1 control link on the peer firewall.
) Enter a
HA1 IP Address
, which is the IP address of the backup
control link on the peer firewall.