https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/556130#M112930 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/312870">@nw-rogox</a> ,</P> <P>&nbsp;</P> <P>Active/active does give you the advantage of doubling your NGFW throughput.&nbsp; However, in a failure scenario the throughput is cut in half which may not be desirable.&nbsp; The additional complexity of active/active is generally not recommended.&nbsp; Designs that are too complex tend to not only be a pain to configure as you are feeling now, but they also tend to be a pain to maintain, i.e., new problems may come up in the future.</P> <P>&nbsp;</P> <P>For example, you cannot use a floating IP address in NAT unless you have a common BGP public IP across both ISPs.</P> <P>&nbsp;</P> <P>I do not know of any documents to help you.&nbsp; I did do a quick Google search and saw a couple videos you may look at.&nbsp; They both used the switch to connect the dual ISPs to both NGFWs.</P> <P>&nbsp;</P> <P>Sorry!&nbsp; That is all I have.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 01 Sep 2023 12:33:55 GMT TomYoung 2023-09-01T12:33:55Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/555943#M112895 <P>Hi all,</P> <P>I am considering network design that have:</P> <P>- Dual ISP (public IP /29 for each)</P> <P>- 2 x PA with active/active HA</P> <P>- PA connects directly to L2 networks (LAN)</P> <P>&nbsp;</P> <P>Requires:</P> <P>Load sharing between 2 ISP Internet links</P> <P>&nbsp;</P> <P>Problems:</P> <P>Is it possible to configure separated nat for each?</P> <P>How session can failover to remaining PA? Do I need Floating IP for WAN public?&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 31 Aug 2023 04:28:13 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/555943#M112895 nw-rogox 2023-08-31T04:28:13Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/556008#M112901 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/312870">@nw-rogox</a> ,</P> <P>&nbsp;</P> <P>I would configure active/passive HA.&nbsp; It is less complex than active/active.</P> <P>&nbsp;</P> <OL> <LI>You can create 2 VLANs on your existing switches - one for each ISP.&nbsp; (As long as you do not create a L3 IP address for the VLANs, the switches will not be accessible from the Internet.)</LI> <LI>Then you can connect each ISP to both NGFWs and use active/passive HA.</LI> <LI>Enable ECMP with Symmetric Return.</LI> <LI>Configure 2 default routes.</LI> <LI>Configure NAT normally for each ISP.</LI> <LI>You can tune the ECMP hashing if you have weird issues.&nbsp; <A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/ecmp/ecmp-load-balancing-algorithms" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/ecmp/ecmp-load-balancing-algorithms</A></LI> </OL> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 31 Aug 2023 12:49:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/556008#M112901 TomYoung 2023-08-31T12:49:38Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/556115#M112921 <P>Hi Tom,</P> <P>Much appreciated your support.</P> <P>As your idea, I need to add 1 physical uplink connection for each PA, but from ISP to PA Firewall, they provide the single RJ45 port via MediaConverter, not switches. However, I am consider to expand the connections as your idea.</P> <P>&nbsp;</P> <P>One thing that, if I use active/active mode, I can leverage the both firewall resources same time, could you give some document or ideas to establish active/active HA with both firewall facing Internet with public IP?&nbsp;</P> <P>&nbsp;</P> <P>I tried and in ActiveActive mode, it require NAT to the Floating IP, not accept the interface's IP as usual.</P> <P>&nbsp;</P> Fri, 01 Sep 2023 09:38:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/556115#M112921 nw-rogox 2023-09-01T09:38:14Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/556130#M112930 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/312870">@nw-rogox</a> ,</P> <P>&nbsp;</P> <P>Active/active does give you the advantage of doubling your NGFW throughput.&nbsp; However, in a failure scenario the throughput is cut in half which may not be desirable.&nbsp; The additional complexity of active/active is generally not recommended.&nbsp; Designs that are too complex tend to not only be a pain to configure as you are feeling now, but they also tend to be a pain to maintain, i.e., new problems may come up in the future.</P> <P>&nbsp;</P> <P>For example, you cannot use a floating IP address in NAT unless you have a common BGP public IP across both ISPs.</P> <P>&nbsp;</P> <P>I do not know of any documents to help you.&nbsp; I did do a quick Google search and saw a couple videos you may look at.&nbsp; They both used the switch to connect the dual ISPs to both NGFWs.</P> <P>&nbsp;</P> <P>Sorry!&nbsp; That is all I have.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 01 Sep 2023 12:33:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/556130#M112930 TomYoung 2023-09-01T12:33:55Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/1231220#M124507 <P>One note, ECMP is only available for some hardware models.</P> Fri, 06 Jun 2025 15:11:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-dual-isp-load-balancing/m-p/1231220#M124507 B.Bagheri 2025-06-06T15:11:52Z