https://live.paloaltonetworks.com/t5/general-topics/ha-config/m-p/9942#M7293 <HTML><HEAD></HEAD><BODY><P>Did I unstand it right, that the PaloAlto firewalls doesn't need virtual and self-ip-addresses for HA?</P><P></P><P>I just watched the HA config video, but there was no part for configuring the layer 3 interfaces for HA. At the moment we use checkpoint firewalls and therefor we need at least 3 ip-addresses for each subnet: </P><P>Example: 192.168.1.1 virtual IP</P><P>192.168.1.2 firewall-1</P><P>192.168.1.3 firewall-3</P><P></P><P>All traffic is routed to the virtual IP 192.168.1.1.</P><P></P><P>How does it work on PaloAlto devices?</P><P></P><P>Thanks for helping!</P><P></P><P>Gernot</P></BODY></HTML> Thu, 04 Nov 2010 20:11:19 GMT gzauner 2010-11-04T20:11:19Z https://live.paloaltonetworks.com/t5/general-topics/ha-config/m-p/9942#M7293 <HTML><HEAD></HEAD><BODY><P>Did I unstand it right, that the PaloAlto firewalls doesn't need virtual and self-ip-addresses for HA?</P><P></P><P>I just watched the HA config video, but there was no part for configuring the layer 3 interfaces for HA. At the moment we use checkpoint firewalls and therefor we need at least 3 ip-addresses for each subnet: </P><P>Example: 192.168.1.1 virtual IP</P><P>192.168.1.2 firewall-1</P><P>192.168.1.3 firewall-3</P><P></P><P>All traffic is routed to the virtual IP 192.168.1.1.</P><P></P><P>How does it work on PaloAlto devices?</P><P></P><P>Thanks for helping!</P><P></P><P>Gernot</P></BODY></HTML> Thu, 04 Nov 2010 20:11:19 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-config/m-p/9942#M7293 gzauner 2010-11-04T20:11:19Z https://live.paloaltonetworks.com/t5/general-topics/ha-config/m-p/9943#M7294 <HTML><HEAD></HEAD><BODY><P>As far as I know, </P><P>during a device or link failover, the cluster renegotiates to select a new primary unit using the same criteria as the initial negotiation.</P><P>The cluster protocol assigns a virtual MAC address to all of the primary unit interfaces. The primary unit sends special ARP packets to update the switches connected to the cluster interfaces with this MAC address change. The switches update their MAC forwarding tables with MAC address change. As a result, the switches send all network traffic to the primary unit.</P><P></P><P>I suppose this, because I didn't find anywhere a specific documentation.</P><P></P><P>Anyway, you don't need three IP addressess (2 physical and 1 virtual) as you need in Check Point. You have to configure one cluster unit ONLY, with real and routable IP addresses, the second unit is transparent to you: HA1 control link will share the configuration with the second unit.</P><P></P><P>Hope this help you! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 05 Nov 2010 10:42:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-config/m-p/9943#M7294 migration 2010-11-05T10:42:27Z https://live.paloaltonetworks.com/t5/general-topics/ha-config/m-p/9944#M7295 <HTML><HEAD></HEAD><BODY><P>That is correct - the specific arp used is called a gratuitous arp or GARP for short <img id="smileywink" class="emoticon emoticon-smileywink" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-wink.png" alt="Smiley Wink" title="Smiley Wink" /></P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Fri, 05 Nov 2010 13:38:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-config/m-p/9944#M7295 James 2010-11-05T13:38:39Z https://live.paloaltonetworks.com/t5/general-topics/ha-config/m-p/9945#M7296 <HTML><HEAD></HEAD><BODY><P><A class="jive-link-wiki-small" href="https://live.paloaltonetworks.com/docs/DOC-1656">https://live.paloaltonetworks.com/docs/DOC-1656</A><SPAN> for deep dive on HA</SPAN></P></BODY></HTML> Fri, 12 Nov 2010 21:53:06 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-config/m-p/9945#M7296 jpa 2010-11-12T21:53:06Z