Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3

This Layer 3 interface example uses NAT in Active/Active HA Mode and ARP Load-Sharing. PA-3050-1 has Device ID 0 and its HA peer, PA-3050-2, has Device ID 1.
In this use case, both of the HA firewalls must respond to an ARP request for the destination NAT address. Traffic can arrive at either firewall from either WAN router in the untrust zone. Destination NAT translates the public-facing, shared IP address to the private IP address of the server. The configuration requires one destination NAT rule bound to both Device IDs so that both firewalls can respond to ARP requests.
HA_dest_NAT_Layer_3.png
  1. On PA-3050-2 (Device ID 1), perform Step 1 through Step 3 of Configure Active/Active HA.
  2. Enable active/active HA.
    1. Select
      Device
      High Availability
      General
      Setup
      and edit.
    2. Select
      Enable HA
      .
    3. Enter a
      Group ID
      , which must be the same for both firewalls. The firewall uses the Group ID to calculate the virtual MAC address (range is 1-63).
    4. (
      Optional
      ) Enter a
      Description
      .
    5. For
      Mode
      , select
      Active Active
      .
    6. Select
      Device ID
      to be
      1
      .
    7. Select
      Enable Config Sync
      . This setting is required to synchronize the two firewall configurations (enabled by default).
    8. Enter the
      Peer HA1 IP Address
      , which is the IP address of the HA1 control link on the peer firewall.
    9. (
      Optional
      ) Enter a
      Backup Peer HA1 IP Address
      , which is the IP address of the backup control link on the peer firewall.
    10. Click
      OK
      .
  3. Perform Step 6 through Step 15.
  4. Configure an HA virtual address.
    1. Select
      Device
      High Availability
      Active/Active Config
      Virtual Address
      and click
      Add
      .
    2. Select
      Interface
      eth1/2.
    3. Select
      IPv4
      and
      Add
      an
      IPv4 Address
      of 10.1.1.200.
    4. For
      Type
      , select
      ARP Load Sharing
      , which configures the virtual IP address to be for both peers to use for ARP Load-Sharing.
  5. Configure ARP Load-Sharing.
    The device selection algorithm determines which HA firewall responds to the ARP requests to provide load sharing.
    1. For
      Device Selection Algorithm
      , select one of the following
      • IP Modulo
        —The firewall that will respond to ARP requests is based on the parity of the ARP requester's IP address.
      • IP Hash
        —The firewall that will respond to ARP requests is based on a hash of the ARP requester's source IP address and destination IP address.
    2. Click
      OK
      .
  6. Commit
    the configuration.
  7. Configure the peer firewall, PA-3050-1 (Device ID 0), with the same settings, except set the
    Device ID
    to
    0
    instead of
    1
    .
  8. Still on PA-3050-1 (Device ID 0), create the destination NAT rule for both Device ID 0 and Device ID 1.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. Enter a
      Name
      for the rule that in this example identifies it as a destination NAT rule for Layer 3 ARP.
    3. For
      NAT Type
      , select
      ipv4
      (default).
    4. On the
      Original Packet
      , for
      Source Zone
      , select
      Any
      .
    5. For
      Destination Zone
      , select the Untrust zone you created for the external network.
    6. Allow
      Destination Interface
      ,
      Service
      , and
      Source Address
      to remain set to
      Any
      .
    7. For
      Destination Address
      , specify 10.1.1.200.
    8. For the
      Translated Packet
      , Source Address Translation remains None.
    9. For
      Destination Address Translation
      , enter the private IP address of the destination server, in this example 192.168.1.200.
    10. On the
      Active/Active HA Binding
      tab, for
      Active/Active HA Binding
      , select
      both
      to bind the NAT rule to both Device ID 0 and Device ID 1.
    11. Click
      OK
      .
  9. Commit
    the configuration.

Recommended For You