https://live.paloaltonetworks.com/t5/general-topics/ha4-clustering-to-present-a-single-nat-ip-across-two-data/m-p/435960#M96119 <P>You use a load balancer sandwich where the northern/outside LB is floating the IP between the DC connections to the NGFWs. LBs behind the NGFWs to keep flow symmetric (or rerouting when the wire fails).&nbsp;</P><P>&nbsp;</P><P>That is, you need the DC LBs to be connected to the opposing NGFWs as well as their local, and both DC NGFWs to the northern LB.&nbsp;</P> Wed, 22 Sep 2021 18:54:38 GMT LAYER_8 2021-09-22T18:54:38Z https://live.paloaltonetworks.com/t5/general-topics/ha4-clustering-to-present-a-single-nat-ip-across-two-data/m-p/429384#M94899 <P>Can anyone who is using the HA4 cluster in production, to present the same external NAT IP across 2 data centers give any advice on how they are doing the routing.&nbsp; I saw in the docs that some of the security functions don't work if the traffic is asymmetric.&nbsp; Obviously the easy answer is to push all the traffic to one DC.&nbsp; Is that how people do it, or is there a way to load balance across them?</P><P>&nbsp;</P><P>I am keen to hear about peoples experience with the feature and if they have had any issues with it.&nbsp; Currently I have two separate IP ranges for the two DC's and flip flop between them, but that is a pain.</P> Thu, 26 Aug 2021 10:06:19 GMT https://live.paloaltonetworks.com/t5/general-topics/ha4-clustering-to-present-a-single-nat-ip-across-two-data/m-p/429384#M94899 Rich.H 2021-08-26T10:06:19Z https://live.paloaltonetworks.com/t5/general-topics/ha4-clustering-to-present-a-single-nat-ip-across-two-data/m-p/435553#M96082 <P>It's important to note that HA Clustering is not the same thing as Active/Active HA. You are correct in that there is no L7 inspection support for asymmetrical traffic.</P><P>&nbsp;</P><P>My customers using this feature are from a failover / disaster recovery scenario, so not load balancing traffic across two datacenters.&nbsp;</P><P>&nbsp;</P><P>If you are trying to utilize it for horizontal scaling to get the above scenario working we would recommend a load balancer sandwich, which is another way of saying NAT'ing the DCs to be the same public IP and load balancing with HA Clustering is not a supported use case at this time, but with additional devices you could achieve the functionality.&nbsp;</P> Tue, 21 Sep 2021 16:15:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ha4-clustering-to-present-a-single-nat-ip-across-two-data/m-p/435553#M96082 LAYER_8 2021-09-21T16:15:30Z https://live.paloaltonetworks.com/t5/general-topics/ha4-clustering-to-present-a-single-nat-ip-across-two-data/m-p/435825#M96104 <P>Failover/DR is my primary driver for this feature.&nbsp; I want the same IP to be used at both of the DCs so that it doesn't affect the IP address that our partners have white listed.&nbsp; What I am unsure of is if the address is pinned to one site or floating, how do we make the inside and outside routing line up so things are symetric</P> Wed, 22 Sep 2021 14:07:13 GMT https://live.paloaltonetworks.com/t5/general-topics/ha4-clustering-to-present-a-single-nat-ip-across-two-data/m-p/435825#M96104 Rich.H 2021-09-22T14:07:13Z https://live.paloaltonetworks.com/t5/general-topics/ha4-clustering-to-present-a-single-nat-ip-across-two-data/m-p/435960#M96119 <P>You use a load balancer sandwich where the northern/outside LB is floating the IP between the DC connections to the NGFWs. LBs behind the NGFWs to keep flow symmetric (or rerouting when the wire fails).&nbsp;</P><P>&nbsp;</P><P>That is, you need the DC LBs to be connected to the opposing NGFWs as well as their local, and both DC NGFWs to the northern LB.&nbsp;</P> Wed, 22 Sep 2021 18:54:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ha4-clustering-to-present-a-single-nat-ip-across-two-data/m-p/435960#M96119 LAYER_8 2021-09-22T18:54:38Z