Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
This Layer 3 interface example uses NAT in Active/Active HA Mode and ARP Load-Sharing. PA-3050-1 has Device ID 0 and its HA peer, PA-3050-2, has Device ID 1.
In this use case, both of the HA firewalls must respond to an ARP request for the destination NAT address. Traffic can arrive at either firewall from either WAN router in the untrust zone. Destination NAT translates the public-facing, shared IP address to the private IP address of the server. The configuration requires one destination NAT rule bound to both Device IDs so that both firewalls can respond to ARP requests.
- On PA-3050-2 (Device ID 1), perform Step 1 through Step 3 of Configure Active/Active HA.
- Enable active/active HA.
- Select DeviceHigh AvailabilityGeneralSetup and edit.
- Select Enable HA.
- Enter a Group ID, which must be the same for both firewalls. The firewall uses the Group ID to calculate the virtual MAC address (range is 1-63).
- (Optional) Enter a Description.
- For Mode, select Active Active.
- Select Device ID to be 1.
- Select Enable Config Sync. This setting is required to synchronize the two firewall configurations (enabled by default).
- Enter the Peer HA1 IP Address, which is the IP address of the HA1 control link on the peer firewall.
- (Optional) Enter a Backup Peer HA1 IP Address, which is the IP address of the backup control link on the peer firewall.
- Click OK.
- Configure Active/Active HA.
- Configure an HA virtual address.
- Select DeviceHigh AvailabilityActive/Active ConfigVirtual Address and click Add.
- Select Interface eth1/2.
- Select IPv4 and Add an IPv4 Address of 10.1.1.200.
- For Type, select ARP Load Sharing, which configures the virtual IP address to be for both peers to use for ARP Load-Sharing.
- Configure ARP
Load-Sharing.The device selection algorithm determines which HA firewall responds to the ARP requests to provide load sharing.
- For Device Selection Algorithm,
select one of the following
- IP Modulo—The firewall that will respond to ARP requests is based on the parity of the ARP requester's IP address.
- IP Hash—The firewall that will respond to ARP requests is based on a hash of the ARP requester's source IP address and destination IP address.
- Click OK.
- For Device Selection Algorithm, select one of the following
- Enable jumbo frames on firewalls other than PA-7000 Series firewalls.
- Define HA Failover Conditions.
- Commit the configuration.
- Configure the peer firewall, PA-3050-1 (Device ID 0), with the same settings, except set the Device ID to 0 instead of 1.
- Still on PA-3050-1 (Device ID 0), create the destination
NAT rule for both Device ID 0 and Device ID 1.
- Select PoliciesNAT and click Add.
- Enter a Name for the rule that in this example identifies it as a destination NAT rule for Layer 3 ARP.
- For NAT Type, select ipv4 (default).
- On the Original Packet, for Source Zone, select Any.
- For Destination Zone, select the Untrust zone you created for the external network.
- Allow Destination Interface, Service, and Source Address to remain set to Any.
- For Destination Address, specify 10.1.1.200.
- For the Translated Packet, Source Address Translation remains None.
- For Destination Address Translation, enter the private IP address of the destination server, in this example 192.168.1.200.
- On the Active/Active HA Binding tab, for Active/Active HA Binding, select both to bind the NAT rule to both Device ID 0 and Device ID 1.
- Click OK.
- Commit the configuration.
Use Case: Configure Active/Active HA for ARP Load-Sharing w...
Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT This Layer 3 interface example uses NAT in Active/Active HA Mode and ARP Load-Sharing ...
Use Case: Configure Active/Active HA with ARP Load-Sharing
Use Case: Configure Active/Active HA with ARP Load-Sharing In this example, hosts in a Layer 3 deployment need gateway services from the HA firewalls. The ...
Determine Your Active/Active Use Case
Determine Your Active/Active Use Case Determine which type of use case you have and then select the corresponding procedure to configure active/active HA. If you ...
Use Case: Configure Active/Active HA with Source DIPP NAT U...
Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses This Layer 3 interface example uses source NAT in Active/Active HA Mode ...
NAT in Active/Active HA Mode
NAT in Active/Active HA Mode In an active/active HA configuration: You must bind each Dynamic IP (DIP) NAT rule and Dynamic IP and Port (DIPP) ...
ARP Load-Sharing In a Layer 3 interface deployment and active/active HA configuration, ARP load-sharing allows the firewalls to share an IP address and provide gateway ...
NAT Active/Active HA Binding Tab
NAT Active/Active HA Binding Tab Policies > NAT > Active/Active HA Binding The Active/Active HA Binding tab is available only if the firewall is in ...
Configure Active/Active HA
Configure Active/Active HA The following procedure describes the basic workflow for configuring your firewalls in an active/active configuration. However, before you begin, Determine Your Active/Active ...
HA Concepts The following topics provide conceptual information about how HA works on a Palo Alto Networks firewall: HA Modes HA Links and Backup Links ...