topic Re: IP Address and MAC address in Active\Passice HA Mode in Next-Generation Firewall Discussions

IP Address and MAC address in Active\Passice HA Mode

srikarpuligandla — Tue, 31 Oct 2023 03:04:23 GMT

Hi,

Does Active\Passive HA firewalls have same physical MAC address on Data plane Interfaces? I feel MAC address are unique and how come MAC address can be same on both firewalls.

Does Virtual MAC addresses and floating IP's are used in Active\Passive HA mode? If used how they are configured.

Thanks.

Re: IP Address and MAC address in Active\Passice HA Mode

Raido_Rattameister — Tue, 31 Oct 2023 12:31:24 GMT

Each firewall has it's own mac that it comes with from factory.

When you enable HA then based on group number new virtual mac address is generated.

This virtual mac address is then used by active firewall to reply to arp requests.

If you fail over to secondary firewall then gratuitous arp is sent out by secondary firewall about mac address moving to other switchport and this secondary starts responding to arp requests using same virtual mac.

As virtual mac is generated based HA group number you never want to put 2 Palo HA clusters (4 firewalls) into same ethernet network with same group number. This will cause mac address conflict.

Re: IP Address and MAC address in Active\Passice HA Mode

srikarpuligandla — Tue, 31 Oct 2023 21:59:52 GMT

Thank you @Raido_Rattameister

Re: IP Address and MAC address in Active\Passice HA Mode

Raido_Rattameister — Wed, 01 Nov 2023 12:42:55 GMT

As a side note if you use virtual firewalls in VMware then most likely you turn off virtual mac option because to use virtual mac you would need to configure vSwitches into promiscuous mode (very bad idea).

As a result each HA firewall will have it's own mac.

Device > Setup > Management > Use Hypervisor Assigned MAC Addresses