PaloAlto-HA-Theory
ACTIVE(FW1)------------------HA_LINK------------------------------------PASSIVE(FW2)
E1/1(10.10.10.100)---------------------------------------------------E1/1(10.10.10.100)
interfaces=GREEN--------------------------------------------------interfaces=RED
1)
interface-DOWN--ACTIVE(FW1)-----------------------------YOU BE ACTIVE------->PASSIVE(FW2)
PASSIVE(FW1)-------------------------------------------------------------------------->ACTIVE(FW2)
SWITCH<----------MAC------------------------------GARP
PASSIVE(FW1)--------------------------------------------------------------------------->ACTIVE(FW2)
HA1 (control link), HA1 backup, Heartbeat backup
Config synchronization
Management plane runtime state synchronization
FIB, user-group mappings, DHCP leases, DNS cache, etc.
HA state communication
Config synchronization
Management plane runtime state synchronization
FIB, user-group mappings, DHCP leases, DNS cache, etc.
HA state communication
HA2 (data link) & HA2 backup
used to synchronize state, sessions, routing tables, IPSec security
associations, and ARP tables between devices in a HA cluster
Session synchronization
A/P – We do not sync ICMP sessions.
A/A – We do not sync Multicast sessions.
Data plane runtime state synchronization
ARP table, Neighbor table, user-IP mappings, etc.
You cannot ping the HA2 interface
HA3
Packet forwarding link (Active/Active only)
This link is used as packet forwarding link for session setup and asymmetric traffic handling.
associations, and ARP tables between devices in a HA cluster
Session synchronization
A/P – We do not sync ICMP sessions.
A/A – We do not sync Multicast sessions.
Data plane runtime state synchronization
ARP table, Neighbor table, user-IP mappings, etc.
You cannot ping the HA2 interface
HA3
Packet forwarding link (Active/Active only)
This link is used as packet forwarding link for session setup and asymmetric traffic handling.
------------------------------------------------------------------------------------------------------------------------------
NAT device binding options include the following:
* Device 0 and Device 1—Translation is performed according to device-specific bindings only if the session owner and the device ID in the NAT rule match. evice-specific NAT rules are commonly used when the two firewalls use unique public IP addresses for translation
* Both—This option allows either device to match new sessions to the NAT rule and is commonly used for destination NAT
* Primary—This option allows only the active-primary device to match new sessions to the NAT rule. This setting is used mainly for inbound static NAT, where only one firewall should respond to ARP requests. Unlike device 0/1 bindings, a primary device binding can move between devices when the primary role is transferred
* Device 0 and Device 1—Translation is performed according to device-specific bindings only if the session owner and the device ID in the NAT rule match. evice-specific NAT rules are commonly used when the two firewalls use unique public IP addresses for translation
* Both—This option allows either device to match new sessions to the NAT rule and is commonly used for destination NAT
* Primary—This option allows only the active-primary device to match new sessions to the NAT rule. This setting is used mainly for inbound static NAT, where only one firewall should respond to ARP requests. Unlike device 0/1 bindings, a primary device binding can move between devices when the primary role is transferred
Session OWNER:
==========
------(PA1-act-prim)-------
------(PA2-act-sec)-------
First packet
First come first server :)
when packet rx to PA1 or PA2 then that Firewall will become session owner
Primary device
Only Active-Primary device will be the SESSION OWNER
++If PA2 rx any first packet then it sends to PA1 to OWN the SESSION
session SETUP:
=========
------(PA1-act-prim)-------
------(PA2-act-sec)-------
•IP modulo
Load sharing
For one packet PA1 will be-------SESSION SETUP
For Another packet PA2 will be---SESSION SETUP
Load sharing is done in round robin...based on source IP
•IP Hash
Load sharing
For one packet PA1 will be-------SESSION SETUP
For Another packet PA2 will be---SESSION SETUP
Hash of either source or combination source/destination IP address is used for Loadsharing
•Primary device
Only Active-Primary device will be the SESSION SETUP
++If PA2 rx any first packet then it sends to PA1 to SETUP the SESSION
COMPLETE ACTIVE/ACTIVE
0 Response to "PaloAlto-HA-Theory"
Post a Comment