https://live.paloaltonetworks.com/t5/general-topics/why-doesn-t-firewall-pan-automatically-change-the-mac-address-of/m-p/577960#M115957 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1162955685">@Namppmtechpro_2410</a>,</P> <P>Doesn't sound like the Imperva is sending a gratuitous ARP (GARP) when you fail traffic over like it should.&nbsp; When you have a device in any sort of HA you want it GARP'ing when it takes over responsibility for the IP if it's not going to utilize the same MAC address across peers.&nbsp;</P> <P>The firewall is doing what it should here; if it has an ARP entry for an address already there's no reason to not use the cached entry, hence why GARP exists so that devices can announce that they now control an IP address.&nbsp;</P> Wed, 21 Feb 2024 22:47:34 GMT BPry 2024-02-21T22:47:34Z https://live.paloaltonetworks.com/t5/general-topics/why-doesn-t-firewall-pan-automatically-change-the-mac-address-of/m-p/577699#M115922 <P>&nbsp;</P> <P>Hello guys, can you help me with this problem?</P> <P>We are looking for the following logical scenario, we have 2 Reverse Proxy (Imperva) devices connecting through a PAN Firewall as shown below. When checking for backup on Imperva. We tried the following:</P> <P>- Turn off eth2 port on Master and traffic is transferred to Backup successfully. All operations are stable. The PAN firewall will relearn the VIP's MAC address, the MAC address is changed from MASTER ==&gt; BACKUP</P> <P>- Enable return port eth2 on Master, traffic cannot be transferred to Master. Because the PAN Firewall still holds the MAC address of the MASTER device. Only when we clear the cache on the PAN does it work properly again.</P> <P>Do you have any suggestions for this problem?. Can you help me?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Namppmtechpro_2410_1-1708400988356.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57731i5C3293E9B65F6D81/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Namppmtechpro_2410_1-1708400988356.png" alt="Namppmtechpro_2410_1-1708400988356.png" /></span></P> <P>&nbsp;</P> <P>Thanks a lot</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 20 Feb 2024 03:50:40 GMT https://live.paloaltonetworks.com/t5/general-topics/why-doesn-t-firewall-pan-automatically-change-the-mac-address-of/m-p/577699#M115922 Namppmtechpro_2410 2024-02-20T03:50:40Z https://live.paloaltonetworks.com/t5/general-topics/why-doesn-t-firewall-pan-automatically-change-the-mac-address-of/m-p/577700#M115923 <P><STRONG>I'm experiencing a similar issue. If anyone has a solution, please kindly assist us.</STRONG></P> Tue, 20 Feb 2024 03:57:37 GMT https://live.paloaltonetworks.com/t5/general-topics/why-doesn-t-firewall-pan-automatically-change-the-mac-address-of/m-p/577700#M115923 duongdt98 2024-02-20T03:57:37Z https://live.paloaltonetworks.com/t5/general-topics/why-doesn-t-firewall-pan-automatically-change-the-mac-address-of/m-p/577701#M115924 <DIV id="bodyDisplay_1" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P><STRONG>I'm experiencing a similar issue. If anyone has a solution, please kindly assist us.</STRONG></P> </DIV> </DIV> <DIV class="lia-rating-metoo lia-component-me-too-solution lia-component-message-view-widget-me-too-solution"> <DIV class="RatingDisplay lia-component-ratings-widget-rating-display"> <DIV id="ratingenumerationdisplay_1" class="lia-rating-enumeration-system-forum_solution_metoo lia-rating-enumeration rating-enum-577700-forum_solution_metoo"> <DIV class="lia-button-group-left"><SPAN class="lia-button-wrapper lia-button-wrapper-secondary"><A id="link_29" class="lia-button lia-button-secondary lia-rating-image lia-rating-image-selected lia-rating-image-active lia-js-data-ratingValue-0 lia-link-ticket-post-action" title="Click here if you had a similar experience" role="button" href="https://live.paloaltonetworks.com/t5/forums/v5/forumtopicpage.externalratingdisplay.ratingenumerationdisplay.link:rating/rating-enum/0/rating-system/forum_solution_metoo/message-uid/577700?t:ac=board-id/members_discuss/thread-id/115922&amp;t:cp=ratings/contributionpage" rel="nofollow" data-lia-action-token="1ubAkUR7BsfHuO8QtlJo1exG8fIUsG7TKhgvqT2im2uFxFBBAkVutAEMel___OBB" target="_blank">Me too</A></SPAN></DIV> </DIV> </DIV> </DIV> Tue, 20 Feb 2024 05:20:34 GMT https://live.paloaltonetworks.com/t5/general-topics/why-doesn-t-firewall-pan-automatically-change-the-mac-address-of/m-p/577701#M115924 Dolores56 2024-02-20T05:20:34Z https://live.paloaltonetworks.com/t5/general-topics/why-doesn-t-firewall-pan-automatically-change-the-mac-address-of/m-p/577960#M115957 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1162955685">@Namppmtechpro_2410</a>,</P> <P>Doesn't sound like the Imperva is sending a gratuitous ARP (GARP) when you fail traffic over like it should.&nbsp; When you have a device in any sort of HA you want it GARP'ing when it takes over responsibility for the IP if it's not going to utilize the same MAC address across peers.&nbsp;</P> <P>The firewall is doing what it should here; if it has an ARP entry for an address already there's no reason to not use the cached entry, hence why GARP exists so that devices can announce that they now control an IP address.&nbsp;</P> Wed, 21 Feb 2024 22:47:34 GMT https://live.paloaltonetworks.com/t5/general-topics/why-doesn-t-firewall-pan-automatically-change-the-mac-address-of/m-p/577960#M115957 BPry 2024-02-21T22:47:34Z