https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8198#M6059 <HTML><HEAD></HEAD><BODY><P>Confirmed.&nbsp; PAN does not sent GARP for 'proxied' IPs including NATs or PATs.&nbsp; Only IPs configured directly on an interface will GARP to the upstream/downstream devices.&nbsp; If you don't have control over those devices (managed service provider controlling your Internet Router for example), you might be in trouble, or at least be in for a fun time on the phone with support for 2 hours to get them to do something that takes a few second (clear arp).&nbsp; Best practice:&nbsp; enable HA on your primary PAN, even if there is no secondary PAN.&nbsp; Yes it works, it's harmless.&nbsp; This will prevent the need for GARP or clear arp up/down stream because the virtual MAC associated with HA being enabled is already in those devices.&nbsp; Cheers!</P></BODY></HTML> Thu, 17 Feb 2011 05:18:41 GMT migration 2011-02-17T05:18:41Z https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8197#M6058 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I know that PA sends out an Gratuitous ARP in Failobver to inform the network partners that the active IF-IP has changed. But waht about the configured static NATs on the Public Network which redirects traffic to internal Servers (e.g. DMZ) ?</P><P></P><P>Are there also Gratuitous ARP send out for those "Proxy Arp" Adresses?</P><P></P><P>I ask this because at a customer site the Static IP Mapping will no longer work after an failover till the router in front will be flushed the arp cache?</P><P></P><P>Any answers welcom.</P><P></P><P>Stefan</P></BODY></HTML> Wed, 16 Feb 2011 21:42:43 GMT https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8197#M6058 Haecker 2011-02-16T21:42:43Z https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8198#M6059 <HTML><HEAD></HEAD><BODY><P>Confirmed.&nbsp; PAN does not sent GARP for 'proxied' IPs including NATs or PATs.&nbsp; Only IPs configured directly on an interface will GARP to the upstream/downstream devices.&nbsp; If you don't have control over those devices (managed service provider controlling your Internet Router for example), you might be in trouble, or at least be in for a fun time on the phone with support for 2 hours to get them to do something that takes a few second (clear arp).&nbsp; Best practice:&nbsp; enable HA on your primary PAN, even if there is no secondary PAN.&nbsp; Yes it works, it's harmless.&nbsp; This will prevent the need for GARP or clear arp up/down stream because the virtual MAC associated with HA being enabled is already in those devices.&nbsp; Cheers!</P></BODY></HTML> Thu, 17 Feb 2011 05:18:41 GMT https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8198#M6059 migration 2011-02-17T05:18:41Z https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8199#M6060 <HTML><HEAD></HEAD><BODY><P>It is my understanding (and correct me if I am wrong) that the Proxy-Arp IP's share the same MAC as the Interface IP.&nbsp; A Gratuitous ARP is not really sent to inform a layer3 device of a change (ARP Table), but to modify the CAM table of a switch (no IP information).&nbsp; Since they share the same MAC address all of the IP's should correctly fail-over during an outage.</P><P></P><P>It is true that the MAC address changes to a virtual MAC address when enabling HA as <STRONG>dfreedman</STRONG> said, so it might be a good practice to get that set up long before you actually bring your secondary unit online, but that should not affect normal failover operation when HA is up and running.</P><P></P><P>If two Palo Alto firewalls are directly connected to a single L3 device, then you should have it configured to bridge the two interfaces, which will create an L2 CAM table, just like a switch.&nbsp; If it honors Gratuitous ARP, then it should work like a charm.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Thu, 17 Feb 2011 17:02:25 GMT https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8199#M6060 kbrazil 2011-02-17T17:02:25Z https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8200#M6061 <HTML><HEAD></HEAD><BODY><P>So,</P><P>in a HA L3 environement (not so uncommon) what else do we have to do to make it working?</P><P>This is something not documented and it appears to be vital!</P><P></P><P>Thanks</P></BODY></HTML> Thu, 17 Feb 2011 20:23:23 GMT https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8200#M6061 migration 2011-02-17T20:23:23Z https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8201#M6062 <HTML><HEAD></HEAD><BODY><P>Example1: </P><P>You have FW1 and FW1 doesn't have HA enabled upon initial deployment.&nbsp; Then you bring in FW2 and want to set up HA.&nbsp; When you enable HA on FW1, that's when the problem with GARP/ Proxy ARP occurs.</P><P></P><P>Example2: </P><P>You have FW1 and FW1 has HA enabled upon initial deployment.&nbsp; Then you bring in FW2 and want to set up HA.&nbsp; Since you already have HA enabled on FW1, you will <SPAN style="text-decoration: underline;">NOT</SPAN> experience the GARP / Proxy ARP problem.</P><P></P><P>Example 3: </P><P>You have FW1 and FW2 both with HA enabled upon initial deployment.&nbsp; Then you will not experience the GARP / Proxy ARP problem.</P><P></P><P>So to reitterate, if you're deploying a single firewall, enable HA upon initial deployment and you will never experience the problem in Example 1.&nbsp; It's really that simple.</P></BODY></HTML> Thu, 17 Feb 2011 20:33:18 GMT https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8201#M6062 migration 2011-02-17T20:33:18Z https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8202#M6063 <HTML><HEAD></HEAD><BODY><P>There are many ways to successfully design an L3 HA solution.&nbsp; The most common is the 'switch-sandwich' where the firewall sits between two switches or two pairs of switches.&nbsp; With a Layer2 device between the firewall and the router it should work nicely.&nbsp; In the example I used in the earlier post you would be logically and physically combining the switch and router on the same hardware, basically emulating one side of the switch-sandwich.</P><P></P><P>There are other designs that can utilize routing protocol, but these are a bit more complex.&nbsp; You may want to work with your Palo Alto Networks or VAR SE to discuss the options.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Thu, 17 Feb 2011 20:44:19 GMT https://live.paloaltonetworks.com/t5/general-topics/gratuitous-proxy-arp-in-failover/m-p/8202#M6063 kbrazil 2011-02-17T20:44:19Z