topic Re: PA Active / Active without Virtual IP in Next-Generation Firewall Discussions

PA Active / Active without Virtual IP

Edsnow — Mon, 05 Aug 2024 15:38:43 GMT

Hi All,

In PA active / active configuration, what will happen if there is no virtual address is configured.

I am seeing there are two ISP configured in each one in each firewall. Is it right way to configure it.

Re: PA Active / Active without Virtual IP

Alejandro_Hernandez — Mon, 05 Aug 2024 16:25:19 GMT

hi @Edsnow

So depends of use cases

You will use the following guide with the use cases

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case

Re: PA Active / Active without Virtual IP

Edsnow — Tue, 06 Aug 2024 05:27:21 GMT

Hi Alenjandro,

Thanks for the reply,

In this case if,I choose to Active/active with route-based redundancy, Where the routing decision will be made. In router or Firewall.

Re: PA Active / Active without Virtual IP

Alejandro_Hernandez — Tue, 06 Aug 2024 15:15:30 GMT

hi @Edsnow

For route-based redundancy:

In a Layer 3 interface deployment and active/active HA configuration, the firewalls are connected to routers, not switches. The firewalls use dynamic routing protocols to determine the best path (asymmetric route) and to load share between the HA pair. In such a scenario, no floating IP addresses are necessary. If a link, monitored path, or firewall fails, or if Bidirectional Forwarding Detection (BFD) detects a link failure, the routing protocol (RIP, OSPF, or BGP) handles the rerouting of traffic to the functioning firewall. You configure each firewall interface with a unique IP address. The IP addresses remain local to the firewall where they are configured; they do not move between devices when a firewall fail