topic Re: High availability Links on different locations in General Topics

High availability Links on different locations

IT-Esp — Tue, 04 Jun 2024 07:26:34 GMT

Hi,

we have 2 PA1410 on two different buildings. They act in an active-passive cluster.

On each location is a switch, and the Firewall ist connected with all of its port (ha1a, ha1b, ha2, MGM, Data) to the switch.

The switches are connected though a glasfiber to each other.

Does it make sense, to buy a fiber sfp transceiver for each firewall and connect a ha1-link directly to the other firewall?

Then the HA1 Link is connected through the HA1A Port to the switch and Backup HA1 Link is connected through a sfp Transceiver directly to the other system.

Re: High availability Links on different locations

reaper — Tue, 04 Jun 2024 11:27:17 GMT

If this is not ridiculously expensive, i would recommend you get a secondary ha1(backup) link.

If both ha1 links go through the same fiber, a fiber cut will cause a split brain: both firewalls will become active and claim the IP addresses (dynamic routing and gratuitous arp) which may cause even more trouble to deal with

if you have a physical ha1 backup link, a link failure would be less catastrophic

Re: High availability Links on different locations

Brandon_Wertz — Tue, 04 Jun 2024 13:43:42 GMT

@IT-Esp wrote:

Hi,

we have 2 PA1410 on two different buildings. They act in an active-passive cluster.

On each location is a switch, and the Firewall ist connected with all of its port (ha1a, ha1b, ha2, MGM, Data) to the switch.

The switches are connected though a glasfiber to each other.

Does it make sense, to buy a fiber sfp transceiver for each firewall and connect a ha1-link directly to the other firewall?

Then the HA1 Link is connected through the HA1A Port to the switch and Backup HA1 Link is connected through a sfp Transceiver directly to the other system.

I would say it would depend on how the 2 buildings are already connected to each other and how much do you trust that connectivity?

There was a time that my company's DC was split between 2 geographic location 180+ miles apart and we had a HA A/P FW split across that distance. We used dedicated P2P fiber and we had no issues. Only ever used HA1/HA2 and never used a backup link for HA.

We did use the management port as a heartbeat backup as a fail-safe. Using this design as long as those P2P links between the DCs never went down we never had an issue with split HA across this distance. In this design you can use copper or fiber locally as desired for your HA. I don't really see a reason to pay for yet another fiber link from an ISP to support a HA-backup connection.

Re: High availability Links on different locations

MP18 — Tue, 04 Jun 2024 19:40:11 GMT

@IT-Esp We have few PA across the DC running in Active Passive Mode.

We have Two Switches in Each DC running VRRP.

HA1 and HA1B has connection to local switch in each DC.

HA2 we have Single Mode connection directly between the firewalls.

HA2 backup also has connection to Local switch.

We have no issues with this design.

Regards