This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA config

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA config

Go to solution
gzauner
L0 Member

‎11-04-2010 01:11 PM

Did I unstand it right, that the PaloAlto firewalls doesn't need virtual and self-ip-addresses for HA?

I just watched the HA config video, but there was no part for configuring the layer 3 interfaces for HA. At the moment we use checkpoint firewalls and therefor we need at least 3 ip-addresses for each subnet:

Example: 192.168.1.1 virtual IP

192.168.1.2 firewall-1

192.168.1.3 firewall-3

All traffic is routed to the virtual IP 192.168.1.1.

How does it work on PaloAlto devices?

Thanks for helping!

Gernot

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
migration
L0 Member

‎11-05-2010 03:42 AM

As far as I know,

during a device or link failover, the cluster renegotiates to select a new primary unit using the same criteria as the initial negotiation.

The cluster protocol assigns a virtual MAC address to all of the primary unit interfaces. The primary unit sends special ARP packets to update the switches connected to the cluster interfaces with this MAC address change. The switches update their MAC forwarding tables with MAC address change. As a result, the switches send all network traffic to the primary unit.

I suppose this, because I didn't find anywhere a specific documentation.

Anyway, you don't need three IP addressess (2 physical and 1 virtual) as you need in Check Point. You have to configure one cluster unit ONLY, with real and routable IP addresses, the second unit is transparent to you: HA1 control link will share the configuration with the second unit.

Hope this help you! 🙂

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
migration
L0 Member

‎11-05-2010 03:42 AM

As far as I know,

during a device or link failover, the cluster renegotiates to select a new primary unit using the same criteria as the initial negotiation.

The cluster protocol assigns a virtual MAC address to all of the primary unit interfaces. The primary unit sends special ARP packets to update the switches connected to the cluster interfaces with this MAC address change. The switches update their MAC forwarding tables with MAC address change. As a result, the switches send all network traffic to the primary unit.

I suppose this, because I didn't find anywhere a specific documentation.

Anyway, you don't need three IP addressess (2 physical and 1 virtual) as you need in Check Point. You have to configure one cluster unit ONLY, with real and routable IP addresses, the second unit is transparent to you: HA1 control link will share the configuration with the second unit.

Hope this help you! 🙂

0 Likes Likes

Go to solution
James
L4 Transporter
In response to migration

‎11-05-2010 06:38 AM

That is correct - the specific arp used is called a gratuitous arp or GARP for short Smiley Wink

Thanks

James

Go to solution
jpa
L4 Transporter
In response to migration

‎11-12-2010 01:53 PM

https://live.paloaltonetworks.com/docs/DOC-1656 for deep dive on HA

0 Likes Likes
  • 1 accepted solution
  • 3345 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks