In a Layer 3 deployment of HA active/active mode, you
can assign floating IP addresses, which move from one HA firewall
to the other if a link or firewall fails. The interface on the firewall
that owns the floating IP address responds to ARP requests with
a virtual MAC address.
Floating IP addresses are recommended when you need functionality
such as Virtual Router Redundancy Protocol (VRRP). Floating IP addresses
can also be used to implement VPNs and source NAT, allowing for
persistent connections when a firewall offering those services fails.
As shown in the figure below, each HA firewall interface has
its own IP address and floating IP address. The interface IP address
remains local to the firewall, but the floating IP address moves
between the firewalls upon firewall failure. You configure the end
hosts to use a floating IP address as its default gateway, allowing you
to load balance traffic to the two HA peers. You can also use external
load balancers to load balance traffic.
If a link or firewall fails or a path monitoring event causes
a failover, the floating IP address and virtual MAC address move
over to the functional firewall. (In the figure below, each firewall
has two floating IP addresses and virtual MAC addresses; they all
move over if the firewall fails.) The functioning firewall sends
a gratuitous ARP to update the MAC tables of the connected switches
to inform them of the change in floating IP address and MAC address
ownership to redirect traffic to itself.
After the failed firewall recovers, by default the floating IP
address and virtual MAC address move back to firewall with the Device
ID [0 or 1] to which the floating IP address is bound. More specifically,
after the failed firewall recovers, it comes on line. The currently
active firewall determines that the firewall is back online and checks
whether the floating IP address it is handling belongs natively
to itself or the other firewall. If the floating IP address was
originally bound to the other Device ID, the firewall automatically
gives it back. (For an alternative to this default behavior, see Use
Case: Configure Active/Active HA with Floating IP Address Bound
to Active-Primary Firewall.)
Each firewall in the HA pair creates a virtual MAC address for
each of its interfaces that has a floating IP address or ARP
Load-Sharing IP address.
The format of the virtual MAC address (on firewalls other than
PA-7000, PA-5200, and PA-3200 Series firewalls) is 00-1B-17-00-xx-yy,
where 00-1B-17 is the vendor ID (of Palo Alto Networks in this case),
00 is fixed, xx indicates the Device ID and Group ID as shown in
the following figure, and yy is the Interface ID:
7
6
5 4 3 2 1 0
7 6 5 4 3 2 1 0
Device-ID
0
Group-ID
Interface-ID
The format of the virtual MAC address on PA-7000, PA-5200, and
PA-3200 Series firewalls is B4-0C-25-xx-xx-xx, where B4-0C-25 is
the vendor ID (of Palo Alto Networks in this case), and the next
24 bits indicate the Device ID, Group ID and Interface ID as follows:
7 6 5
4
3 2 1 0 7 6
5 4 3 2
1 0 7 6 5 4 3 2 1 0
111
Device-ID
Group-ID
0000
Interface-ID
When a new active firewall takes over, it sends gratuitous ARPs
from each of its connected interfaces to inform the connected Layer
2 switches of the new location of the virtual MAC address. To configure
floating IP addresses, see Use
Case: Configure Active/Active HA with Floating IP Addresses.