https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-configuration-with-network-provider-router/m-p/513713#M345 <P>Hello</P> <P>&nbsp;</P> <P>In case where I haven't switch between network provider router and our cluster of Palo Alto (Active/Passive), only a cable between router (eth1) and Eth1 of Active firewall, if the active FW is broken, the communication will be cut or not ?&nbsp;</P> <P>&nbsp;</P> <P>What is the best design to connect a sigle router of network operator to our FW cluster if we can dedicated a switch between router and FW ?</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JeromeC_0-1662024189356.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43626i49D44BB46658E26F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JeromeC_0-1662024189356.png" alt="JeromeC_0-1662024189356.png" /></span></P> <P>&nbsp;</P> Thu, 01 Sep 2022 09:24:57 GMT JeromeC 2022-09-01T09:24:57Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-configuration-with-network-provider-router/m-p/513713#M345 <P>Hello</P> <P>&nbsp;</P> <P>In case where I haven't switch between network provider router and our cluster of Palo Alto (Active/Passive), only a cable between router (eth1) and Eth1 of Active firewall, if the active FW is broken, the communication will be cut or not ?&nbsp;</P> <P>&nbsp;</P> <P>What is the best design to connect a sigle router of network operator to our FW cluster if we can dedicated a switch between router and FW ?</P> <P>&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JeromeC_0-1662024189356.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/43626i49D44BB46658E26F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JeromeC_0-1662024189356.png" alt="JeromeC_0-1662024189356.png" /></span></P> <P>&nbsp;</P> Thu, 01 Sep 2022 09:24:57 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-configuration-with-network-provider-router/m-p/513713#M345 JeromeC 2022-09-01T09:24:57Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-configuration-with-network-provider-router/m-p/513772#M349 <P>Yes, if the active PA fails the network will be cut off. You need a switch to link the active and passive external interfaces to the network provider router. Or get the network provider to bridge 2 ports together on their router.</P> <P>&nbsp;</P> <P>&nbsp;You show that your active/passive are connected to a VLAN on the internal network. Another possibility would be to create another VLAN on your existing internal switch and use that VLAN to bridge the active/passive external interfaces to the network provider router. If you are extremely short on switch ports you could even put the internal and external VLANs on the same physical ports (one switchport to each PA) and the external VLAN to the network provider.</P> Thu, 01 Sep 2022 18:50:20 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ha-configuration-with-network-provider-router/m-p/513772#M349 Adrian_Jensen 2022-09-01T18:50:20Z