topic Re: Panorama HA Two different Data Center in Panorama Discussions

Panorama HA Two different Data Center

Ramakrishnan — Fri, 15 Dec 2023 14:10:53 GMT

Dear Folks,

I want to setup Panorma High availability between two different data centers [Netherland-Germany] I have checked the latecny is allowed upto 1000 ms. I have some following doubts.

1. since these DC's running different Ip address spce so for HA communication between these peers have two different Ip address, is not an constrains? As long as we have reachbility[L3/L4 level] will it work?

2. since both peers are geographically seperated is there any nessasity to use SFP+ ports? that too PA has eth2/3 are in LAG ports[Viz M700 appliance]

3. As per admin guide, peer communication on MGT port then what is the purpose of Eth1/1 port, how do we configure dedicated HA for panorama

Re: Panorama HA Two different Data Center

Ramakrishnan — Tue, 19 Dec 2023 05:36:30 GMT

I have some following Questions:

As per M700 SFP+ ports eth1/2 and eth1/3 bundled called as Bond1 interface, in what use cases we use this bundle interface in Panorama, Is Data traffic [Communication between Managed firewalls and Panorama]. One of the use cases I could think off, if we want to achieve level redundancy to be achieved. Is that right understanding?

However, if we go for M-300 as there is no interface redundancy available, what would the solution for M300 redundancy [interface level]

Re: Panorama HA Two different Data Center

Kevin_Pearson — Tue, 19 Dec 2023 12:48:24 GMT

Hi Ramakrishnan

I have no idea if HA will work over 2 separate sites however, I can advise that you will need to add a variable template to the interfaces of each firewall as 'I would assume' these will be 2 different VLAN's (Unless you utilise OTV?), different internet addresses and a possible DMZ in there too. Please see below a guide to Templates.
Panorama > Templates > Template Variables (paloaltonetworks.com)
On a side note, Have you thought of utilising BGP routing and adding it to an internal routing protocol? Maybe you could go with an Active/Active set up or Active/Standby but the latency might be a bit much for those in the other country.

Re: Panorama HA Two different Data Center

Ramakrishnan — Tue, 19 Dec 2023 18:56:24 GMT

The HA peers use the management (MGT) interface to synchronize the configuration elements pushed

to the managed firewalls, Log Collectors, and WildFire appliances and appliance clusters to

maintain state information. Typically, Panorama HA peers are geographically located in different

sites, so you need to make sure that the MGT interface IP address assigned to each peer is

routable through your network

What is the use of Ether1 ports for log collection..?