https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/traffic-inspection-in-aws-using-gwlb-and-ha/m-p/586420#M2170 <P>Just to illustrate my question - is it supported / necessary that in a design like below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="szaboi_0-1715429718953.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59627iCDE2176A0A37AC9F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="szaboi_0-1715429718953.png" alt="szaboi_0-1715429718953.png" /></span></P> <P>&nbsp;</P> <P>We deploy and HA pair in place of each of the VM-Series shown above to have session data maintained to protect against device failure</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="szaboi_1-1715429786155.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59628i9758E00FBC6B59EB/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="szaboi_1-1715429786155.png" alt="szaboi_1-1715429786155.png" /></span></P> <P>Getting a setup where GWLB routes to HA endpoints (interfaces) not to the eth0 of each device</P> Sat, 11 May 2024 12:18:13 GMT szaboi 2024-05-11T12:18:13Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/traffic-inspection-in-aws-using-gwlb-and-ha/m-p/586417#M2169 <P>Hello Team,</P> <P>&nbsp;</P> <P>We are implementing Traffic Inspection in AWS using the Inspection VPC , TGW and&nbsp; GWLB architecture. We would need to ensure upon device failure/reboot inflight sessions are not terminated.&nbsp; We use VM Series 11.</P> <P>&nbsp;</P> <P>The official documentation has a section "Enable Session Resiliency on VM-Series for AWS" to achieve this which leverages Redis.</P> <P>&nbsp;</P> <P>On the other side all we want to achieve is HA. In case one device fails the other can take over existing sessions.</P> <P>The other architectures for inspection either use 1-1 device in each AZs or leverage ASG with multiple devices between them, but as I understand session data will only be synchronized automatically in an HA setup between the devices.</P> <P>&nbsp;</P> <P>If all we want to achieve is traffic inspection (in inspection VPC) and an HA that in case the device fails all sessions remain intact i.e. would not break,&nbsp; cannot we deploy an HA pair of devices (in one AZ) with the network interface move option and set the 'moving' ENI as target IP for the GWLB in the inspection VPC?&nbsp; (If multi-AZ is required then set up a similar in a different AZ as well.)</P> <P>&nbsp;</P> <P>With this in case the primary device fails session data is available to the standby one and the ENI is migrated to the second device and the GWLB would still continue to route to the same IP (The HA moving one).</P> <P>&nbsp;</P> <P>I have not seen such design anywhere so I wonder if that is supported or whether in the case of centralized inspection setup losing session data during a potential PAN device failure is not causing disruption to inflight sessions.</P> <P>&nbsp;</P> <P>Thank you for your help in advance</P> <P>Regards</P> <P>Imre</P> Sat, 11 May 2024 12:06:11 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/traffic-inspection-in-aws-using-gwlb-and-ha/m-p/586417#M2169 szaboi 2024-05-11T12:06:11Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/traffic-inspection-in-aws-using-gwlb-and-ha/m-p/586420#M2170 <P>Just to illustrate my question - is it supported / necessary that in a design like below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="szaboi_0-1715429718953.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59627iCDE2176A0A37AC9F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="szaboi_0-1715429718953.png" alt="szaboi_0-1715429718953.png" /></span></P> <P>&nbsp;</P> <P>We deploy and HA pair in place of each of the VM-Series shown above to have session data maintained to protect against device failure</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="szaboi_1-1715429786155.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/59628i9758E00FBC6B59EB/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="szaboi_1-1715429786155.png" alt="szaboi_1-1715429786155.png" /></span></P> <P>Getting a setup where GWLB routes to HA endpoints (interfaces) not to the eth0 of each device</P> Sat, 11 May 2024 12:18:13 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/traffic-inspection-in-aws-using-gwlb-and-ha/m-p/586420#M2170 szaboi 2024-05-11T12:18:13Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/traffic-inspection-in-aws-using-gwlb-and-ha/m-p/586745#M2176 <P>Hi All,</P> <P>&nbsp;</P> <P>We understand the above is not documented/mentioned anywhere so we are working on implementing the solution that utilizes Redis as mentioned in "Enable Session Resiliency on VM-Series for AWS" section of the documentation. This seems to be so recent addition that I have not found walkthrough or sample code repo for it as all sample codes use up till ASG setup but not Redis but we try to implement this then.</P> <P>&nbsp;</P> <P>Thank you</P> <P>Regards</P> <P>Imre</P> Wed, 15 May 2024 06:59:25 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/traffic-inspection-in-aws-using-gwlb-and-ha/m-p/586745#M2176 szaboi 2024-05-15T06:59:25Z