Use Case: Configure Active/Active HA with Floating IP AddressBound to Active-Primary Firewall
Updated on
Apr 19, 2024
Focus
Download PDF
Updated on
Apr 19, 2024
Focus
- Home
- PAN-OS
- High Availability
- SetUp Active/Active HA
- DetermineYour Active/Active Use Case
- Use Case: Configure Active/Active HA with Floating IP AddressBound to Active-Primary Firewall
Download PDF
Table of Contents
In mission-critical data centers, you maywant both Layer 3 HA firewalls to participate in path monitoringso that they can detect path failures upstream from both firewalls.Additionally, you prefer to control if and when the floating IPaddress returns to the recovered firewall after it comes back up,rather than the floating IP address returning to the device ID towhich it is bound. (That default behavior is described in FloatingIP Address and Virtual MAC Address.)
In this use case,you control when the floating IP address and therefore the active-primaryrole move back to a recovered HA peer. The active/active HA firewallsshare a single floating IP address that you bind to whichever firewallis in the active-primary state. With only one floating IP address,network traffic flows predominantly to a single firewall, so thisactive/active deployment functions like an active/passive deployment.
Inthis use case, Cisco Nexus 7010 switches with virtual PortChannels(vPCs) operating in Layer 3 connect to the firewalls. You must configurethe Layer 3 switches (router peers) north and south of the firewallswith a route preference to the floating IP address. That is, youmust design your network so the route tables of the router peershave the best path to the floating IP address. This example usesstatic routes with the proper metrics so that the route to the floatingIP address uses a lower metric (the route to the floating IP addressis preferred) and receives the traffic. An alternative to using staticroutes would be to design the network to redistribute the floatingIP address into the OSPF routing protocol (if you are using OSPF).
Thefollowing topology illustrates the floating IP address bound tothe active-primary firewall, which is initially Peer A, the firewallon the left.
Upon afailover, when the active-primary firewall (Peer A) goes down andthe active-secondary firewall (Peer B) takes over as the active-primarypeer, the floating IP address moves to Peer B (shown in the followingfigure). Peer B remains the active-primary firewall and trafficcontinues to go to Peer B, even when PeerA recovers and becomesthe active-secondary firewall. You decide if and when to make PeerA the active-primary firewall again.
Bindingthe floating IP address to the active-primary firewall providesyou with more control over how the firewalls determine floatingIP address ownership as they move between various HAFirewall States. The following advantages result:
Youcan have an active/active HA configuration for path monitoring outof both firewalls, but have the firewalls function like an active/passiveHA configuration because traffic directed to the floating IP addressalways goes to the active-primary firewall.
Whenyou disable preemption on both firewalls, you have the followingadditional benefits:
The floating IP address doesnot move back and forth between HA firewalls if the active-secondaryfirewall flaps up and down.
You can review the functionality of the recovered firewalland the adjacent components before manually directing traffic toit again, which you can do at a convenient down time.
You have control over which firewall owns the floating IPaddress so that you keep all flows of new and existing sessionson the active-primary firewall, thereby minimizing traffic on theHA3 link.
We stronglyrecommended you configure HA link monitoring on the interface(s)that support the floating IP address(es) to allow each HA peer toquickly detect a link failure and fail over to its peer. Both HApeers must have link monitoring for it to function.
We strongly recommend you configure HA path monitoring to notifyeach HA peer when a path has failed so a firewall can fail overto its peer. Because the floating IP address is always bound tothe active-primary firewall, the firewall cannot automatically failover to the peer when a path goes down and path monitoring is notenabled.
You cannot configure NAT for afloating IP address that is bound to an active-primary firewall.
Perform Step 1 through Step 5 of ConfigureActive/Active HA.
(
Optional
) Disable preemption.
Disabling preemption allows you fullcontrol over when the recovered firewall becomes the active-primaryfirewall.
In
, editthe Election Settings.Device
High Availability
General
Clear
Preemptive
if it is enabled.Click
OK
.
Perform Step 7 through Step 14 of ConfigureActive/Active HA.
Configure SessionOwner and SessionSetup.
In
,edit Packet Forwarding.Device
High Availability
Active/Active Config
For
Session Owner Selection
,we recommend you selectPrimary Device
. Thefirewall that is in active-primary state is the session owner.Alternatively, for
Session Owner Selection
youcan selectFirst Packet
and then forSession Setup
,selectPrimary Device
orFirstPacket
.For
Session Setup
, selectPrimaryDevice
—The active-primary firewall sets up all sessions.This is the recommended setting if you want your active/active configurationto behave like an active/passive configuration because it keepsall activity on the active-primary firewall.You must also engineer your network to eliminatethe possibility of asymmetric traffic going to the HA pair. If youdon’t do so and traffic goes to the active-secondary firewall, setting
SessionOwner Selection
andSession Setup
toPrimaryDevice
causes the traffic to traverse HA3 to get tothe active-primary firewall for session ownership and session setup.Click
OK
.
Configure an HA virtual address.
Select
and clickDevice
High Availability
Active/Active Config
Virtual Address
Add
.Enter or select an
Interface
.Select the
IPv4
orIPv6
tabandAdd
anIPv4 Address
orIPv6Address
.For
Type
, selectFloating
,which configures the virtual IP address to be a floating IP address.Click
OK
.
Bind the floating IP address to the active-primary firewall.
Select
Floating IP bound to theActive-Primary device
.Select
Failover address if link state isdown
to cause the firewall to use the failover addresswhen the link state on the interface is down.Click
OK
.
Enablejumbo frames on firewalls other than PA-7000 Series firewalls.
Commit
the configuration.Configure the peer firewall in the same way, except selectinga different DeviceID.
For example, if you selected Device ID forthe first firewall, select Device ID
1
forthe peer firewall.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}