https://live.paloaltonetworks.com/t5/general-topics/using-ha-without-a-virtual-mac-possible/m-p/564784#M114261 <P>Hello,</P> <P>as the title says: I want to implement an HA active-passive setup on a virtualization platform that doesn't support MAC address changes on the VM side. Therefore, a newly generated virtual MAC is unfortunately not an option.</P> <P>So, is there a way to disable&nbsp;virtual MAC for HA?</P> <P>&nbsp;</P> <P>Thanks&nbsp;<BR />Tim</P> Wed, 08 Nov 2023 10:16:52 GMT Tim_Reckling 2023-11-08T10:16:52Z https://live.paloaltonetworks.com/t5/general-topics/using-ha-without-a-virtual-mac-possible/m-p/564784#M114261 <P>Hello,</P> <P>as the title says: I want to implement an HA active-passive setup on a virtualization platform that doesn't support MAC address changes on the VM side. Therefore, a newly generated virtual MAC is unfortunately not an option.</P> <P>So, is there a way to disable&nbsp;virtual MAC for HA?</P> <P>&nbsp;</P> <P>Thanks&nbsp;<BR />Tim</P> Wed, 08 Nov 2023 10:16:52 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ha-without-a-virtual-mac-possible/m-p/564784#M114261 Tim_Reckling 2023-11-08T10:16:52Z https://live.paloaltonetworks.com/t5/general-topics/using-ha-without-a-virtual-mac-possible/m-p/564797#M114265 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/210945">@Tim_Reckling</a> ,</P> <P>&nbsp;</P> <P>Could you provide more information?&nbsp; Here is a good link for HA on VM-Series -&gt; <A href="https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/about-the-vm-series-firewall/vm-series-in-high-availability" target="_blank">https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/about-the-vm-series-firewall/vm-series-in-high-availability</A>.&nbsp; For example, the original HA document for Azure does not use virtual MACs.&nbsp; However, the Azure deployment guide <A href="https://www.paloaltonetworks.com/resources/reference-architectures/azure" target="_blank">https://www.paloaltonetworks.com/resources/reference-architectures/azure</A> recommends using the Azure Load Balancer with 2 independent NGFWs for faster failover, in which case the virtual MAC is not required.</P> <P>&nbsp;</P> <P>PANW has reference architectures for AWS, GCP, etc. <A href="https://www.paloaltonetworks.com.au/resources/reference-architectures" target="_blank">https://www.paloaltonetworks.com.au/resources/reference-architectures</A></P> <P>&nbsp;</P> <P>So, there may be some good documents for your virtualization platform to help solve your issue.</P> <P>&nbsp;</P> <P>With regard to normal HA configuration, you must use the virtual MAC address.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 08 Nov 2023 12:06:25 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ha-without-a-virtual-mac-possible/m-p/564797#M114265 TomYoung 2023-11-08T12:06:25Z https://live.paloaltonetworks.com/t5/general-topics/using-ha-without-a-virtual-mac-possible/m-p/564806#M114268 <P>In VMware environment you need to use firewall own IPs not virtual to avoid setting virtual switch into promiscuous mode.</P> <P>This setting can be adjusted at</P> <P>Device &gt; Setup &gt; Management &gt;&nbsp;Use Hypervisor Assigned MAC Addresses</P> <P>&nbsp;</P> <P>Be aware that in this case firewall failover will cause gratuitous arp to be sent out and not every device accepts it.</P> <P>For example Palos themselves don't update arp table if gratuitous arp is received.</P> <P>So assuming you have physical Palo at the perimeter and virtual Palos in HA inside.</P> <P>Virtual Palo failover will cause outage because perimeter Palo don't care about gratuitous arp.</P> <P>&nbsp;</P> Wed, 08 Nov 2023 13:43:25 GMT https://live.paloaltonetworks.com/t5/general-topics/using-ha-without-a-virtual-mac-possible/m-p/564806#M114268 Raido_Rattameister 2023-11-08T13:43:25Z