Use Case: Configure Active/Active HA for ARP Load-Sharing
with Destination NAT
This Layer 3 interface example uses NAT in Active/Active HA Mode and ARP Load-Sharing with destination NAT. Both HA firewalls respond to an ARP request for the destination NAT address with the ingress interface MAC address. Destination NAT translates the public, shared IP address (in this example, 10.1.1.200) to the private IP address of the server (in this example, 192.168.2.200).
When the HA firewalls receive traffic for the destination 10.1.1.200, both firewalls could possibly respond to the ARP request, which could cause network instability. To avoid the potential issue, configure the firewall that is in active-primary state to respond to the ARP request by binding the destination NAT rule to the active-primary firewall.
- Enable active/active HA.
- In, edit Setup.DeviceHigh AvailabilityGeneral
- SelectEnable HA.
- Enter aGroup ID, which must be the same for both firewalls. The firewall uses the Group ID to calculate the virtual MAC address (range is 1-63).
- (Optional) Enter aDescription.
- ForMode, selectActive Active.
- SelectDevice IDto be1.
- SelectEnable Config Sync. This setting is required to synchronize the two firewall configurations (enabled by default).
- Enter thePeer HA1 IP Address, which is the IP address of the HA1 control link on the peer firewall.
- (Optional) Enter aBackup Peer HA1 IP Address, which is the IP address of the backup control link on the peer firewall.
- Configure an HA virtual address.
- Selectand clickDeviceHigh AvailabilityActive/Active ConfigVirtual AddressAdd.
- SelectIPv4andAddanIPv4 Addressof 10.1.1.200.
- ForType, selectARP Load Sharing, which configures the virtual IP address to be for both peers to use for ARP Load-Sharing.
- Configure ARP Load-Sharing.The device selection algorithm determines which HA firewall responds to the ARP requests to provide load sharing.
- ForDevice Selection Algorithm, selectIP Modulo. The firewall that will respond to ARP requests is based on the parity of the ARP requester's IP address.
- Committhe configuration.
- Configure the peer firewall, PA-3050-1 (Device ID 0), with the same settings, except in Step 2 selectDevice ID 0.
- Still on PA-3050-1 (Device ID 0), create the destination NAT rule so that the active-primary firewall responds to ARP requests.
- Selectand clickPoliciesNATAdd.
- Enter aNamefor the rule that, in this example, identifies it as a destination NAT rule for Layer 2 ARP.
- ForNAT Type, selectipv4(default).
- On theOriginal Packet, forSource Zone, selectAny.
- ForDestination Zone, select the Untrust zone you created for the external network.
- AllowDestination Interface,Service, andSource Addressto remain set toAny.
- ForDestination Address, specify 10.1.1.200.
- For theTranslated Packet, Source Address Translation remainsNone.
- ForDestination Address Translation, enter the private IP address of the destination server, in this example, 192.168.1.200.
- On theActive/Active HA Bindingtab, forActive/Active HA Binding, selectprimaryto bind the NAT rule to the firewall in active-primary state.
- Committhe configuration.
Recommended For You
Recommended videos not found.