The session setup firewall performs the Layer 2 through Layer 4 processing necessary to set up a new session. The session setup firewall also performs NAT using the NAT pool of the session owner. You determine the session setup firewall in an active/active configuration by selecting one of the following session setup load sharing options.
Session Setup Option
The firewall distributes the session setup load based on parity of the source IP address. This is a deterministic method of sharing the session setup.
The firewall uses a hash of the source and destination IP addresses to distribute session setup responsibilities.
The active-primary firewall always sets up the session; only one firewall performs all session setup responsibilities.
The firewall that receives the first packet of a session performs session setup.
- If you want to load-share the session owner and session setup responsibilities, set session owner to First Packet and session setup to IP modulo. These are the recommended settings.
- If you want to do troubleshooting or capture logs or pcaps, or if you want an active/active HA pair to function like an active/passive HA pair, set both the session owner and session setup to Primary device so that the active-primary device performs all traffic processing. See Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall.
The firewall uses the HA3 link to send packets to its peer for session setup if necessary. The following figure and text describe the path of a packet that firewall FW1 receives for a new session. The red dotted lines indicate FW1 forwarding the packet to FW2 and FW2 forwarding the packet back to FW1 over the HA3 link.
- The end host sends a packet to FW1.
- FW1 examines the contents of the packet to match it to an existing session. If there is no session match, FW1 determines that it has received the first packet for a new session and therefore becomes the session owner (assuming Session Owner Selection is set to First Packet).
- FW1 uses the configured session setup load-sharing option to identify the session setup firewall. In this example, FW2 is configured to perform session setup.
- FW1 uses the HA3 link to send the first packet to FW2.
- FW2 sets up the session and returns the packet to FW1 for Layer 7 processing, if any.
- FW1 then forwards the packet out the egress interface to the destination.
The following figure and text describe the path of a packet that matches an existing session:
- The end host sends a packet to FW1.
- FW1 examines the contents of the packet to match it to an existing session. If the session matches an existing session, FW1 processes the packet and sends the packet out the egress interface to the destination.
Session Owner In an HA active/active configuration, both firewalls are active simultaneously, which means packets can be distributed between them. Such distribution requires the firewalls ...
Configure Active/Active HA
Configure Active/Active HA The following procedure describes the basic workflow for configuring your firewalls in an active/active configuration. However, before you begin, Determine Your Active/Active ...
NAT in Active/Active HA Mode
NAT in Active/Active HA Mode In an active/active HA configuration: You must bind each Dynamic IP (DIP) NAT rule and Dynamic IP and Port (DIPP) ...
Use Case: Configure Active/Active HA with Floating IP Addre...
Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall In mission-critical data centers, you may want both Layer 3 HA firewalls ...
Configure HA Settings
Configure HA Settings To configure HA settings, select Device High Availability and then, for each group of settings, specify the corresponding information described in the ...
NAT Active/Active HA Binding Tab
NAT Active/Active HA Binding Tab Policies > NAT > Active/Active HA Binding The Active/Active HA Binding tab is available only if the firewall is in ...
Use Case: Configure Active/Active HA with Source DIPP NAT U...
Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses This Layer 3 interface example uses source NAT in Active/Active HA Mode ...
Migrate Panorama and HA Firewalls from BrightCloud to PAN-D...
Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB Perform this procedure to migrate the URL filtering vendor from BrightCloud to PAN-DB on Panorama and ...
ECMP in Active/Active HA Mode
ECMP in Active/Active HA Mode When an active/active HA peer fails, its sessions transfer to the new active-primary firewall, which tries to use the same ...