HA binding "both option" not working in NAT policy

Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA binding "both option" not working in NAT policy

L1 Bithead

Dear all,

I've configured my Palo Alto Cluster in a L3 Active / Active cluster setup.

While I was trying to implement a NAT policy (Source Address Translation), it turns out that the only options that are working are: "0" and "1", as a reference to the member of the active/active cluster which should take care of the Address Translation.

It turns out that the other option are not accepted by the PAN-OS while trying to push/commit the previously defined NAT policy (results in ERROR)


Would be works as designed?

Because, as a workaround I cloned the NAT rule, using either active/active binding to "0"


the exact same NAT rule, using active/active binding "1".

Seems to be working fine, although I can imaging that the option "PRIMARY" would allow us to create this NAT rule ONLY ONCE.

Thanks !

Kind regards,



L4 Transporter

In a A/A cluster, each device requires its own IP pool and is associated to a device-id. Hence for source translation, you will need two rules using the corresponding device-id, so when a new session is created, device binding determines which NAT rules are matched by the firewall (the device binding must include the session owner device to produce a match).

Refer to pages 25, 96 & 97 in the following article for more on NAT in A/A setup:

Configuring Active/Active HA PAN-OS 4.0

Hope that helps!


Meanwhile I also received feedback of our Palo Alto Networks local systems engineer.

Allow me to share this information, because it revealed to root cause / answer to our problem.

NAT device binding options include the following:

  • Device 0 and Device 1—Translation is performed according to device-specific bindings only if the session owner and the device ID in the NAT rule match. evice-specific NAT rules are commonly used when the two firewalls use unique public IP addresses for translation
  • Both—This option allows either device to match new sessions to the NAT rule and is commonly used for destination NAT
  • Primary—This option allows only the active-primary device to match new sessions to the NAT rule. This setting is used mainly for inbound static NAT, where only one firewall should respond to ARP requests. Unlike device 0/1 bindings, a primary device binding can move between devices when the primary role is transferred

Not applicable

Can someone clarify for me the setup for a "dynamic-ip-and-port" source nat on an active/active cluster?  The traffic for this particular rule must be source natted to a particular x.x.2.15 address when traversing through either device and should work when either member is down.  Please specify the A/A bindings required for the rule, and scenarios with and without floating IPs on the outside. Thank you.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!