https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-ngfw-active-active-ha-and-panorama-requirements/m-p/347902#M944 <P>Hello</P><P>&nbsp;</P><P>We have configured HA on Azure, but it turns out that is not the best setup. You don't need a loadbalancer (and therefore no additional virtual router if you have more than one interface behind a loadbalancer).</P><P>Unfortunately the failover (regardless of triggered manual or due to an failure) is very slow. The command "hey Azure, shift IP from from interface A to interface B" is triggered immediately. In our environment (trusted, untrusted + two additional IPs with public IP) it typically takes 3 up to 5 Minutes until the failover is completed.</P> Wed, 09 Sep 2020 14:53:27 GMT JoergSchuetter 2020-09-09T14:53:27Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-ngfw-active-active-ha-and-panorama-requirements/m-p/347462#M941 <P>Hi, we're currently evaluating the use of NGFW's for a new Azure deployment.</P><P>&nbsp;</P><P>Ideally, we need to deploy NGFW in an active-active HA pattern behind an Azure internal load balancer.</P><P>&nbsp;</P><P>The <A href="https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/autoscaling-the-vm-series-firewall-on-azure.html" target="_blank" rel="noopener">documentation</A> appears to state that Panorama is required to support this configuration. Is this a hard requirement? Is it possible to enable active-active with Config sync without Panorama?</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P> Tue, 08 Sep 2020 12:28:19 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-ngfw-active-active-ha-and-panorama-requirements/m-p/347462#M941 andrewkelleher 2020-09-08T12:28:19Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-ngfw-active-active-ha-and-panorama-requirements/m-p/347899#M943 <P>Hi Andrew,</P><P>&nbsp;</P><P>we talking here about two different things. the documentation is talking about Azure Autoscaling no we didnt use here a native HA configuration both firewalls are working independently. the is no Session Sync. the Panorama is taking care here about the increase and decrease of VM-Instances inside the VMSS and this is done via the AppInsight Metrics.&nbsp;</P><P>&nbsp;</P><P>the Native HA configuration is working in Azure but without a Loabbalancer in the Front or Back. look here about the Setup&nbsp;<A href="https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/configure-activepassive-ha-for-vm-series-firewall-on-azure.html" target="_blank">https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/configure-activepassive-ha-for-vm-series-firewall-on-azure.html</A></P><P>&nbsp;</P><P>I hope that helped you?</P><P>&nbsp;</P><P>Regards,</P><P>Torsten</P><P>&nbsp;</P> Wed, 09 Sep 2020 14:22:25 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-ngfw-active-active-ha-and-panorama-requirements/m-p/347899#M943 tostern 2020-09-09T14:22:25Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-ngfw-active-active-ha-and-panorama-requirements/m-p/347902#M944 <P>Hello</P><P>&nbsp;</P><P>We have configured HA on Azure, but it turns out that is not the best setup. You don't need a loadbalancer (and therefore no additional virtual router if you have more than one interface behind a loadbalancer).</P><P>Unfortunately the failover (regardless of triggered manual or due to an failure) is very slow. The command "hey Azure, shift IP from from interface A to interface B" is triggered immediately. In our environment (trusted, untrusted + two additional IPs with public IP) it typically takes 3 up to 5 Minutes until the failover is completed.</P> Wed, 09 Sep 2020 14:53:27 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-ngfw-active-active-ha-and-panorama-requirements/m-p/347902#M944 JoergSchuetter 2020-09-09T14:53:27Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-ngfw-active-active-ha-and-panorama-requirements/m-p/347904#M945 <P>Hi Jörg,</P><P>&nbsp;</P><P>thats correct and thats a normal behaviour in Azure. The Problem here is the API call from Azure to detach and attach the interface.</P><P>&nbsp;</P><P>Regards,</P><P>Torsten</P> Wed, 09 Sep 2020 15:10:21 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/azure-ngfw-active-active-ha-and-panorama-requirements/m-p/347904#M945 tostern 2020-09-09T15:10:21Z