In a Layer 3 active/active HA deployment, floating IP addresses and virtual MAC
addresses provide persistent connections even during firewall failures. They move to the
functioning firewall when failure occurs, maintaining services like VPNs and
NAT.
In a Layer 3 deployment of HA active/active mode, you
can assign floating IP addresses, which move from one HA firewall
to the other if a link or firewall fails. The interface on the firewall
that owns the floating IP address responds to ARP requests with
a virtual MAC address.
Floating IP addresses are recommended when you need functionality
such as Virtual Router Redundancy Protocol (VRRP). Floating IP addresses
can also be used to implement VPNs and source NAT, allowing for
persistent connections when a firewall offering those services fails.
As shown in the figure below, each HA firewall interface has
its own IP address and floating IP address. The interface IP address
remains local to the firewall, but the floating IP address moves
between the firewalls upon firewall failure. You configure the end
hosts to use a floating IP address as its default gateway, allowing you
to load balance traffic to the two HA peers. You can also use external
load balancers to load balance traffic.
If a link or firewall fails or a path monitoring event causes
a failover, the floating IP address and virtual MAC address move
over to the functional firewall. (In the figure below, each firewall
has two floating IP addresses and virtual MAC addresses; they all
move over if the firewall fails.) The functioning firewall sends
a gratuitous ARP to update the MAC tables of the connected switches
to inform them of the change in floating IP address and MAC address
ownership to redirect traffic to itself.
After the failed firewall recovers, by default the floating IP
address and virtual MAC address move back to firewall with the Device
ID [0 or 1] to which the floating IP address is bound. More specifically,
after the failed firewall recovers, it comes on line. The currently
active firewall determines that the firewall is back online and checks
whether the floating IP address it is handling belongs natively
to itself or the other firewall. If the floating IP address was
originally bound to the other Device ID, the firewall automatically
gives it back. (For an alternative to this default behavior, see Use
Case: Configure Active/Active HA with Floating IP Address Bound
to Active-Primary Firewall.)
Each firewall in the HA pair creates a virtual MAC address for
each of its interfaces that has a floating IP address or ARP
Load-Sharing IP address.
The format of the virtual MAC address on PA-7000, PA-7000b, PA-5400, PA-5200, PA-3200
Series, and CN-Series firewalls is B4-0C-25-XX-YY-ZZ, where B4-0C-25 is the vendor ID
(of Palo Alto Networks in this case), and the next 24 bits indicate the Device ID, Group
ID and Interface ID as follows:
7 6 5
4
3 2 1 0 7 6
5 4 3 2
1 0 7 6 5 4 3 2 1 0
111
Device-ID
Group-ID
0000
Interface-ID
The following graphic provides an example. Suppose the HA firewall has an Interface ID of
66. The number 66 in binary is 01000010. The Firewall Info row of the pink section shows
the rightmost ten bit positions have a 1 in the 64 (binary) column and a 1 in the 2
(binary) column, totaling 66, and two leading zeroes. The green section contains fixed
zeroes. Now suppose the firewall Group ID is 58. The number 58 in binary is 111010, as
shown in the Firewall Info row of the purple section. Finally, suppose the Device ID is
1, as shown in the Firewall Info row of the blue section. The Firewall Info row of the
yellow section contains fixed ones. When you look at the full string of bits, starting
from the left, the orange octet totals 254 (decimal), the pale blue octet totals 128
(decimal), and the bright green octet totals 66 (decimal). Converting decimal to hex, we
have FE-80-42. Therefore, the full virtual MAC address including the Palo Alto Networks
vendor ID is B4-0C-25-FE-80-42.
The format of the virtual MAC address on the remaining firewall models is 00-1B-17-00-xx-yy,
where 00-1B-17 is the vendor ID (of Palo Alto Networks in this case), 00 is fixed, xx
indicates the Device ID and Group ID as shown in the following figure, and yy is the
Interface ID:
7
6
5 4 3 2 1 0
7 6 5 4 3 2 1 0
Device-ID
0
Group-ID
Interface-ID
When a new active firewall takes over, it sends gratuitous ARPs
from each of its connected interfaces to inform the connected Layer
2 switches of the new location of the virtual MAC address. To configure
floating IP addresses, see Use
Case: Configure Active/Active HA with Floating IP Addresses.