https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/484012#M104405 <P>Hey <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59972">@simsim</a> ,</P><P>- As described in this document&nbsp; <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links</A> Control Link (HA1) and Data Link (HA2) can use layer3 and if you route the two networks between sites, the two firewall will should be able to establish HA cluster.</P><P>&nbsp;</P><P>There is one problem: - PAN FWs in Active/Passive cluster are sharing interface addresses, which means you need the networks between FW and core to use the same addressing on both side - you cannot assign different network/addresses on the passive member.</P><P>&nbsp;</P><P>From top of my head, I believe you can achieve what you want, but I wouldn't prefer this approach, lots of complications and confusing setup and it is possible to have some issues with HA traffic.</P><P>&nbsp;</P><P>I would also suggest you to consider <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp; proposal and use standalone firewalls with dynamic routing. You still can have "active/passive", by always preferring the routes from FW1 and failover to FW2 only when routes from FW1 are unavailable.</P><P>The biggest challenge with this approach is that you have to keep the rules consistence between the two firewalls. I would recommend to use Panorama and manage both firewalls with the same device group. Of course if you don't have panorama at the moment your budged may be a problem.</P><P>&nbsp;</P><P>(believe me configuring same rules manually on separate firewall is complete nightmare - I have inherited two similar firewalls and I haven't managed to fix all the mess of missing rules between the two firewalls)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 01 May 2022 06:44:41 GMT aleksandar.astardzhiev 2022-05-01T06:44:41Z https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/482143#M104247 <P>Hi,</P><P>&nbsp;</P><P>&nbsp;</P><P>Hi ,</P><P>&nbsp;</P><P>I have two sites , between sites layer 3 connection is there .single firewall deployed in each site .Now I want to&nbsp; make active standby with these firewalls .</P><P>How can I do that , does it work without any problem ?</P><P>What need to be dome to make it work&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="site to site.JPG" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/40275i1A1E50302200F53F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="site to site.JPG" alt="site to site.JPG" /></span></P><P>Thanks&nbsp;</P> Sat, 23 Apr 2022 13:35:11 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/482143#M104247 simsim 2022-04-23T13:35:11Z https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/482335#M104277 <P>Hello,</P><P>Is this for internal users going out or outside services that are hosted, ie websites?</P><P>Regards,</P> Mon, 25 Apr 2022 15:06:32 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/482335#M104277 OtakarKlier 2022-04-25T15:06:32Z https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/482359#M104281 <P>Hi,</P><P>&nbsp;</P><P>Internet access for LAN users&nbsp; and hosted services&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Mon, 25 Apr 2022 17:02:41 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/482359#M104281 simsim 2022-04-25T17:02:41Z https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/483291#M104334 <P>Hello,</P><P>Using a dynamic routing protocol such as OSPF should accomplish what you are looking for. It will distribute the routes based on metrics. Make the metrics between the datacenters say 10000, that way the default (internet outbound) routes are always going to point to their respective data center firewalls. And in case of a failure of a firewall, the traffic will be routed via the wan link to the other firewall.</P><P>&nbsp;</P><P>Regards,</P> Wed, 27 Apr 2022 19:08:55 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/483291#M104334 OtakarKlier 2022-04-27T19:08:55Z https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/484012#M104405 <P>Hey <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59972">@simsim</a> ,</P><P>- As described in this document&nbsp; <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-links-and-backup-links</A> Control Link (HA1) and Data Link (HA2) can use layer3 and if you route the two networks between sites, the two firewall will should be able to establish HA cluster.</P><P>&nbsp;</P><P>There is one problem: - PAN FWs in Active/Passive cluster are sharing interface addresses, which means you need the networks between FW and core to use the same addressing on both side - you cannot assign different network/addresses on the passive member.</P><P>&nbsp;</P><P>From top of my head, I believe you can achieve what you want, but I wouldn't prefer this approach, lots of complications and confusing setup and it is possible to have some issues with HA traffic.</P><P>&nbsp;</P><P>I would also suggest you to consider <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp; proposal and use standalone firewalls with dynamic routing. You still can have "active/passive", by always preferring the routes from FW1 and failover to FW2 only when routes from FW1 are unavailable.</P><P>The biggest challenge with this approach is that you have to keep the rules consistence between the two firewalls. I would recommend to use Panorama and manage both firewalls with the same device group. Of course if you don't have panorama at the moment your budged may be a problem.</P><P>&nbsp;</P><P>(believe me configuring same rules manually on separate firewall is complete nightmare - I have inherited two similar firewalls and I haven't managed to fix all the mess of missing rules between the two firewalls)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 01 May 2022 06:44:41 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-between-sites/m-p/484012#M104405 aleksandar.astardzhiev 2022-05-01T06:44:41Z