https://live.paloaltonetworks.com/t5/general-topics/dual-pa220-active-active-with-active-active-service-provider/m-p/510566#M106222 <P>Hello Family,</P> <P>&nbsp;</P> <P>I have a pair of PA220 in Active/Standby mode, I know datasheet of PA220 is as below:</P> <P>&nbsp;</P> <P>Firewall throughput (HTTP/appmix)* 545/535 Mbps</P> <P>Threat Prevention throughput (HTTP/appmix)† 265/320 Mbps</P> <P>IPsec VPN throughput‡ 550 Mbps</P> <P>Max sessions 64,000</P> <P>New sessions per second§ 4,200</P> <P>&nbsp;</P> <P>I already have a 250Mbps service provider internet link, and would like to add another due to office getting bigger, but would prefer I utilize the complete 500Mbps I'd have fully without getting the SDWAN license, and the PANs and links should also act as failover for each other incase one goes down.</P> <P>&nbsp;</P> <P>I want to terminate one ISP on say PAN1 and the other on PAN2 and have them in a HA situation that they are both active. Also, I'd be doing IPSec to my workload in AWS, I'm guessing I'd create a tunnel from both PANs to AWS and probably utilize ECMP.</P> <P>&nbsp;</P> <P>From my GP perspective, how do I also make sure public IPs from both ISPs are referenced to give me better availability.</P> <P>&nbsp;</P> <P>Has anyone done this use case and have any pointers or blogged about it?</P> <P>&nbsp;</P> <P>Thanks.</P> Tue, 02 Aug 2022 12:27:19 GMT Tobi_Babatunde 2022-08-02T12:27:19Z https://live.paloaltonetworks.com/t5/general-topics/dual-pa220-active-active-with-active-active-service-provider/m-p/510566#M106222 <P>Hello Family,</P> <P>&nbsp;</P> <P>I have a pair of PA220 in Active/Standby mode, I know datasheet of PA220 is as below:</P> <P>&nbsp;</P> <P>Firewall throughput (HTTP/appmix)* 545/535 Mbps</P> <P>Threat Prevention throughput (HTTP/appmix)† 265/320 Mbps</P> <P>IPsec VPN throughput‡ 550 Mbps</P> <P>Max sessions 64,000</P> <P>New sessions per second§ 4,200</P> <P>&nbsp;</P> <P>I already have a 250Mbps service provider internet link, and would like to add another due to office getting bigger, but would prefer I utilize the complete 500Mbps I'd have fully without getting the SDWAN license, and the PANs and links should also act as failover for each other incase one goes down.</P> <P>&nbsp;</P> <P>I want to terminate one ISP on say PAN1 and the other on PAN2 and have them in a HA situation that they are both active. Also, I'd be doing IPSec to my workload in AWS, I'm guessing I'd create a tunnel from both PANs to AWS and probably utilize ECMP.</P> <P>&nbsp;</P> <P>From my GP perspective, how do I also make sure public IPs from both ISPs are referenced to give me better availability.</P> <P>&nbsp;</P> <P>Has anyone done this use case and have any pointers or blogged about it?</P> <P>&nbsp;</P> <P>Thanks.</P> Tue, 02 Aug 2022 12:27:19 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-pa220-active-active-with-active-active-service-provider/m-p/510566#M106222 Tobi_Babatunde 2022-08-02T12:27:19Z https://live.paloaltonetworks.com/t5/general-topics/dual-pa220-active-active-with-active-active-service-provider/m-p/510651#M106235 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221976">@Tobi_Babatunde</a>,</P> <P>Why aren't you just using ECMP? That would be the more traditional approach to this and you aren't really losing anything. If you did this as you described you'd still only load balance on a session basis, which is already what ECMP does. Sounds like you're trying to over engineer a solution here when you don't need to outside of having some other considerations that you don't have listed here.&nbsp;</P> Wed, 03 Aug 2022 02:07:37 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-pa220-active-active-with-active-active-service-provider/m-p/510651#M106235 BPry 2022-08-03T02:07:37Z