https://live.paloaltonetworks.com/t5/next-generation-firewall/design-suggestion/m-p/1205341#M5441 <P>Hi All,&nbsp;</P><P>I'm from network team not Firewall team. Presently we have ASA FW which we are planning to replace with two Palo's. Presently we have one WAN link going to the FW and one link to LAN router. Now how to connect two Palo's when we have one WAN link</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anee4285_1-1737725715924.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65437i6A1DFC435835FD3F/image-size/medium?v=v2&amp;px=400" role="button" title="anee4285_1-1737725715924.png" alt="anee4285_1-1737725715924.png" /></span></P><P>&nbsp;</P><P>This is what i thought of but in this i have a question that will the FW support Layer 3 port channel and both links will be bundled/active? How the FW will work in this scenario. so which ever FW is active it will forward the traffic to the router. But router will forward traffic to both the Firewalls then the secondary FW will drop the traffic.</P><P>My router will bundle the links when it treats the FW in cluster.. Like router is connected to two nexus switches which are in VPC.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anee4285_2-1737726251355.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65438iB7312B40CA554D44/image-size/medium?v=v2&amp;px=400" role="button" title="anee4285_2-1737726251355.png" alt="anee4285_2-1737726251355.png" /></span></P><P>&nbsp;</P><P>Any suggestion pls. You can suggest new design also.&nbsp;</P><P>&nbsp;</P> Fri, 24 Jan 2025 13:50:05 GMT anee4285 2025-01-24T13:50:05Z https://live.paloaltonetworks.com/t5/next-generation-firewall/design-suggestion/m-p/1205341#M5441 <P>Hi All,&nbsp;</P><P>I'm from network team not Firewall team. Presently we have ASA FW which we are planning to replace with two Palo's. Presently we have one WAN link going to the FW and one link to LAN router. Now how to connect two Palo's when we have one WAN link</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anee4285_1-1737725715924.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65437i6A1DFC435835FD3F/image-size/medium?v=v2&amp;px=400" role="button" title="anee4285_1-1737725715924.png" alt="anee4285_1-1737725715924.png" /></span></P><P>&nbsp;</P><P>This is what i thought of but in this i have a question that will the FW support Layer 3 port channel and both links will be bundled/active? How the FW will work in this scenario. so which ever FW is active it will forward the traffic to the router. But router will forward traffic to both the Firewalls then the secondary FW will drop the traffic.</P><P>My router will bundle the links when it treats the FW in cluster.. Like router is connected to two nexus switches which are in VPC.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="anee4285_2-1737726251355.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/65438iB7312B40CA554D44/image-size/medium?v=v2&amp;px=400" role="button" title="anee4285_2-1737726251355.png" alt="anee4285_2-1737726251355.png" /></span></P><P>&nbsp;</P><P>Any suggestion pls. You can suggest new design also.&nbsp;</P><P>&nbsp;</P> Fri, 24 Jan 2025 13:50:05 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/design-suggestion/m-p/1205341#M5441 anee4285 2025-01-24T13:50:05Z https://live.paloaltonetworks.com/t5/next-generation-firewall/design-suggestion/m-p/1205349#M5444 <P>I would do ISP &gt; switch &gt; 2x Palo</P> <P>&nbsp;</P> <P>Usually (unless there is a special routing / virtual wire requirements) Palo cluster is set up as active/passive.</P> <P>By default passive firewall keeps it's ports shut down.</P> <P>&nbsp;</P> <P>So if you decide to go with ISP &gt; router &gt; 2x Palo setup then router knows where to send traffic because only port towards active Palo is up, other id down.</P> <P>If you decide to change Palo passive port from "shutdown" mode to "auto" mode it means passive also keeps port up but does not reply to any arp requests on that port (helps to speed up failover as all the spanning tree and lacp negotiations are already done).</P> <P>&nbsp;</P> <P>In your case do Palos participate in BGP or just bypass it between routers?</P> <P>&nbsp;</P> Fri, 24 Jan 2025 15:15:17 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/design-suggestion/m-p/1205349#M5444 Raido_Rattameister 2025-01-24T15:15:17Z https://live.paloaltonetworks.com/t5/next-generation-firewall/design-suggestion/m-p/1205427#M5445 <P>Thanks Rapido for your response. So we can you either switch or router for upstream right? Right now downstream router form BGP with site router as present ASA dont support . So present FW just pass the BGP and in bypass mode.</P><P>&nbsp;</P><P>Actually we have 4 setups like this. They have independent FW. Now we are planning to have two Palos with 4 VS. But will have 4 seperate routers at downstream. One switch on top which have all 4 WAN links in different vlans.</P><P>&nbsp;</P><P>Any suggestions please&nbsp;</P> Mon, 27 Jan 2025 00:44:53 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/design-suggestion/m-p/1205427#M5445 anee4285 2025-01-27T00:44:53Z