Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-30-2023 08:04 PM
Hi,
Does Active\Passive HA firewalls have same physical MAC address on Data plane Interfaces? I feel MAC address are unique and how come MAC address can be same on both firewalls.
Does Virtual MAC addresses and floating IP's are used in Active\Passive HA mode? If used how they are configured.
Thanks.
10-31-2023 05:28 AM - edited 10-31-2023 05:31 AM
Each firewall has it's own mac that it comes with from factory.
When you enable HA then based on group number new virtual mac address is generated.
This virtual mac address is then used by active firewall to reply to arp requests.
If you fail over to secondary firewall then gratuitous arp is sent out by secondary firewall about mac address moving to other switchport and this secondary starts responding to arp requests using same virtual mac.
As virtual mac is generated based HA group number you never want to put 2 Palo HA clusters (4 firewalls) into same ethernet network with same group number. This will cause mac address conflict.
10-31-2023 05:28 AM - edited 10-31-2023 05:31 AM
Each firewall has it's own mac that it comes with from factory.
When you enable HA then based on group number new virtual mac address is generated.
This virtual mac address is then used by active firewall to reply to arp requests.
If you fail over to secondary firewall then gratuitous arp is sent out by secondary firewall about mac address moving to other switchport and this secondary starts responding to arp requests using same virtual mac.
As virtual mac is generated based HA group number you never want to put 2 Palo HA clusters (4 firewalls) into same ethernet network with same group number. This will cause mac address conflict.
10-31-2023 02:59 PM
Thank you @Raido_Rattameister
11-01-2023 05:42 AM
As a side note if you use virtual firewalls in VMware then most likely you turn off virtual mac option because to use virtual mac you would need to configure vSwitches into promiscuous mode (very bad idea).
As a result each HA firewall will have it's own mac.
Device > Setup > Management > Use Hypervisor Assigned MAC Addresses
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
