An administrator has been asked to configure active/active HA for a pair of firewalls. The firewalls use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
An administrator has been asked to configure active/active HA for a pair of firewalls. The firewalls use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?
In an active/active high availability configuration for firewalls using Layer 3 interfaces, each firewall typically has its own floating IP, and priority determines which firewall utilizes the primary IP. This allows both firewalls to send and receive traffic simultaneously, ensuring load balancing and redundancy. If one firewall fails, its floating IP is moved to the other firewall to maintain uninterrupted service. Therefore, the configuration where each firewall has a separate floating IP, with priority determining the primary IP, is the correct setup for this scenario.
ANSWER: A https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address.html "each HA firewall interface has its own IP address and floating IP address. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure. .... If a link or firewall fails or a path monitoring event causes a failover, the floating IP address and virtual MAC address move over to the functional firewall. ... The functioning firewall sends a gratuitous ARP to update the MAC tables of the connected switches to inform them of the change in floating IP address
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address
Each firewall has its own floating IP. The fact they both send information to a same gateway doesn't mean they need to have just one floating IP, and the use case Palo Alto pushes is 1 floating IP for each Firewall, that can at any moment go to the other firewall in case the original owner of one of them fails. Study Guide Page 180 and https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case/use-case-configure-activeactive-ha-with-floating-ip-addresses
It depends, 1. With L3 Szenario with Active/Active deployment that behaves like Active/Passive deployment (Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall, https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case#id726797f4-7d7b-4204-b86c-42589d19e8ac) there is only ONE FLOATING IP. 2. There is also a use case with TWO FLOATING IPs, so please be careful with your assumptions. From the descritpion I would say "Standard L3 use case" (with active/active for faster failover), so only ONE FLOATING IP. >>>> ANSWER A But maybe the use case is the other, not 100% sure.
B. each HA firewall interface has its own IP address and floating IP address. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure.
B:, one floating IP per firewall, moved around via gratuitous ARP upon failure.
VickiF is correct. The docs say that each HA interface has its own IP and floating IP. That makes two floating IPs. Answer A says there is only one shared IP and is thus false.
It should be B. Each firewall has it's own floating IP, so that traffic can flow to both. When something happens to one firewall, it's floating IP will failover to the other firewall, and that firewall will have both floating IPs.
ANSWER: A The Key word is single gateway.
https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/11-0/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address.html https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/11-0/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case/use-case-configure-activeactive-ha-with-floating-ip-addresses.html
A is correct
The active/active HA firewalls share a single floating IP address that you bind to whichever firewall is in the active-primary state. With only one floating IP address, network traffic flows predominantly to a single firewall, so this active/active deployment functions like an active/passive deployment. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case/use-case-configure-activeactive-ha-with-floating-ip-address-bound-to-active-primary-firewall#id93973f10-2001-4ae4-b475-faa7e70967c1
I will choose B. "Each HA firewall interface has its own IP address and floating IP address. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure". That means each firewall has it own floating IP https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address#:~:text=each%20HA%20firewall%20interface%20has%20its%20own%20IP%20address%20and%20floating%20IP%20address
answer is A. I got this in practice pcnse
A is the correct answer. This question is on Palo Alto Beacon.
A https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/arp-load-sharing
In such a scenario, all hosts are configured with a single gateway IP address. One of the firewalls responds to ARP requests for the gateway IP address with its virtual MAC address. Each firewall has a unique virtual MAC address generated for the shared IP address. The load-sharing algorithm that controls which firewall will respond to the ARP request is configurable; it is determined by computing the hash or modulo of the source IP address of the ARP request. After the end host receives the ARP response from the gateway, it caches the MAC address and all traffic from the host is routed via the firewall that responded with the virtual MAC address for the lifetime of the ARP cache. The lifetime of the ARP cache depends on the end host operating system.