HA traffic flow
All traffic reaches the primary device in the HA cluster in both active-passive and active-active modes.
In active-active mode, the primary device takes the load-balancing decision and sends traffic to the auxiliary device. See Load-balancing.
Virtual MAC address
When you initiate HA, the firewall assigns virtual MAC addresses to the primary device's interfaces. These are assigned to all the physical interfaces other than dedicated HA link interfaces and administration ports.
Virtual MAC addresses differ from the physical MAC addresses of interfaces.
The primary device shares these addresses in response to ARP requests. Only the primary device responds to ARP requests made to the cluster.
The dedicated HA link uses its own physical MAC address to communicate with the primary device. When failover occurs, the auxiliary device uses the virtual MAC address to respond to traffic requests. Since the MAC and IP addresses don't change after failover, network devices continue to communicate with the cluster.
Tip
To eliminate the need to turn on promiscuous mode on the vSwitch in virtual HA deployments, you can retain the MAC addresses assigned by the hypervisor instead of using virtual MAC addresses. You can select Use host or hypervisor-assigned MAC address in the firewall's HA configuration.
Note
The firewall generates the virtual MAC address based on the cluster ID you assign. If your network has multiple HA clusters, assign a different ID to each cluster to prevent virtual MAC address conflicts.
Here's an example of an ARP request and response in an HA cluster.
Packet flow
Traffic requests are always sent to the primary device.
Here's an example of the primary device processing traffic.
Note
The IP addresses shown in the image are examples only. The IP addresses of your network may be different.