topic Re: DIPP A/A Enviroment Floating IP in General Topics

DIPP A/A Enviroment Floating IP

mschwab — Wed, 08 Feb 2017 22:53:05 GMT

Hi Guys,

we´ve an Active/active Cluster enviroment. For the normal Internetconnection we will use Source/Hide NAT (DIPP).

At the moment we will NAT on both firewalls the traffic through the interface IP. This works fine, the failover is

ok only one paket lost during failover. The proble is, that in the case of an failover the Users will access the webservers with an other IP-Adress. Now, the Users are using services which recognize that and they will clothe the session.

So, we decide us to use a floating IP for NAT. So far so good. We´ve configure two identical NAT policies and

bind onde to device 0 and one to device 1. In a normal situation it works and I can see the NAT policy on the firewall
if I make tshoot via CLI. But in a failover condition (I´ve reboot the primary device). The connection is broken and
I can´t see any NAT entry on the second firewall. What we´ve done wrong. I´ve found this config example in a PAN document.
Any other Idea, how we can realizied our main goal (one IP toe the outside)?

Just for information. On the inside network, we also use floating IP to access the firewall.

So all clients have only the floating IP as a default gateway.....

I hope that someone have an idea.....

BR M

Re: DIPP A/A Enviroment Floating IP

DonohoeRobert — Wed, 08 Feb 2017 23:40:05 GMT

Hi Mate,

Cool article at the link below talks about this.

Also mentions some limitations with what you are trying to achieve.

Mainly 'You cannot configure NAT for a floating IP address that is bound to an active-primary firewall'

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/use-case-configure-active-active-ha-with-floating-ip-address-bound-to-active-primary-firewall

Best regards,

Robert d

Re: DIPP A/A Enviroment Floating IP

reaper — Thu, 09 Feb 2017 14:35:09 GMT

Is there a specific reason you configured your cluster as Active/Active?

There's only a few scenarios where A/A would be beneficial and these are when asymmetric traffic is expected or when dynamic routing needs active peers for fast failover

if neither is the case, your config can be dramatically simplified at no cost of failover times and with increase in firewall throughput (as no portion of the resources need to be dedicated to the A/A communication between both peers)

in A/P you can simply configure NAT rules that will travel along with the Active peer and all the interface IP addresses will also follow (gratuitous ARP)

Re: DIPP A/A Enviroment Floating IP

mschwab — Thu, 09 Feb 2017 23:24:26 GMT

Hi,

we have special VPN´s for panorama connection and don´t use the MGMT Ports for that.

So, we can´t monitor the secondary firewall and have some more restrictions.

And of course, one of them is dynamic routing (OSPF) and VPN´s.

I know the article from the admin guide, but in this example, they use two floating
IP´s (one on every firewall), so we´ve the problem, that we use two different IP´s

when we go to outside.

One other solution, what we´ve found in an other article, use two identicle NAT entries,

without a floating IP. The problem with that solution is the duplicate IP error on the WAN Network.....