topic HA binding "both option" not working in NAT policy in General Topics

HA binding "both option" not working in NAT policy

wimjuste — Tue, 01 Oct 2013 20:03:09 GMT

Dear all,

I've configured my Palo Alto Cluster in a L3 Active / Active cluster setup.

While I was trying to implement a NAT policy (Source Address Translation), it turns out that the only options that are working are: "0" and "1", as a reference to the member of the active/active cluster which should take care of the Address Translation.

It turns out that the other option are not accepted by the PAN-OS while trying to push/commit the previously defined NAT policy (results in ERROR)

Would be works as designed?

Because, as a workaround I cloned the NAT rule, using either active/active binding to "0"

and

the exact same NAT rule, using active/active binding "1".

Seems to be working fine, although I can imaging that the option "PRIMARY" would allow us to create this NAT rule ONLY ONCE.

Thanks !

Kind regards,

Wim

Re: HA binding "both option" not working in NAT policy

apasupulati — Mon, 07 Oct 2013 03:03:51 GMT

In a A/A cluster, each device requires its own IP pool and is associated to a device-id. Hence for source translation, you will need two rules using the corresponding device-id, so when a new session is created, device binding determines which NAT rules are matched by the firewall (the device binding must include the session owner device to produce a match).

Refer to pages 25, 96 & 97 in the following article for more on NAT in A/A setup:

Configuring Active/Active HA PAN-OS 4.0

Hope that helps!

Aditi

Re: HA binding "both option" not working in NAT policy

wimjuste — Fri, 11 Oct 2013 08:22:35 GMT

Meanwhile I also received feedback of our Palo Alto Networks local systems engineer.

Allow me to share this information, because it revealed to root cause / answer to our problem.

NAT device binding options include the following:

Device 0 and Device 1—Translation is performed according to device-specific bindings only if the session owner and the device ID in the NAT rule match. evice-specific NAT rules are commonly used when the two firewalls use unique public IP addresses for translation
Both—This option allows either device to match new sessions to the NAT rule and is commonly used for destination NAT
Primary—This option allows only the active-primary device to match new sessions to the NAT rule. This setting is used mainly for inbound static NAT, where only one firewall should respond to ARP requests. Unlike device 0/1 bindings, a primary device binding can move between devices when the primary role is transferred

Re: HA binding "both option" not working in NAT policy

Rjschultz — Mon, 19 May 2014 20:29:28 GMT

Can someone clarify for me the setup for a "dynamic-ip-and-port" source nat on an active/active cluster? The traffic for this particular rule must be source natted to a particular x.x.2.15 address when traversing through either device and should work when either member is down. Please specify the A/A bindings required for the rule, and scenarios with and without floating IPs on the outside. Thank you.

-Johnny