topic Active/Passive HA L3 only using Bowtie connectivity between PA3410 and Cisco ISR4431 in General Topics

Active/Passive HA L3 only using Bowtie connectivity between PA3410 and Cisco ISR4431

br8523 — Mon, 24 Jun 2024 23:45:08 GMT

I have a request from my customer to implement the following HA setup where the PA 3410s are Active Passive to their partner that has 2 MPLS connections from different telcos where one side is generally the active side we'll call it Sprint and the failover side is Ma Bell. There is an image of diagram floating out there that shows bowtie looking connectivity. Photo attached. Looking at Palo Alto's KB I can't find anything like this. The image is out there on reddit at this link - https://www.reddit.com/r/paloaltonetworks/comments/yy8ium/how_two_pa3020_ha_activepassive_mode_link_two/ - and I get the consensus from this that it may be possible but no real supporting documentation one way or another. Is this doable? Where would I find an example in Palo's KB articles because I've searched based on this term - 'PA firewall active/passive failover using bowtie lan architecture' a well as ' PA firewall high availability active/passive to separate MPLS L3 connections back to back with routers'. Maybe my search string is too broad. I don't know. Anyone out here ever done this. I don't get the vibe this is doable.

Re: Active/Passive HA L3 only using Bowtie connectivity between PA3410 and Cisco ISR4431

reaper — Tue, 25 Jun 2024 08:42:18 GMT

this is perfectly doable, your approach will depend on a few things

from connectivity perspective, do both links in the bowtie need to use the same subnet, or are they different links?

in case each router has a different subnet, simply configure your interfaces with the appropriate IP/subnet and pick one of the following:

you can set up simple static routing (with path monitor) and leverage metric to choose your path
you can set up ospf (or BGP?) to prefer one uplink over another
you can use policy based forwarding (PBF) to send certain (or all) sessions via one link, and the rest via the other
- enable symmetric return to 'fix' asymmetry in case both links do send packets
- set monitoring for automatic failover to the secondary link
enable ECMP (equal cost multi path) to use both links simultaneously (enable symmetric return to maintain symmetry) and you can assign a higher/lower cost to each link so one is preferred over the other or simply load share

if both interfaces need to be in the same subnet, it gets a little more difficult:

you can set both interfaces to layer2 mode and create a layer3 vlan interface, so the same ip.subnet lives on 2 interfaces
you can create an aggregate interface and connect each interface to a different router. on each router you would also set up LAG and connect both palo's

hope this helps

Re: Active/Passive HA L3 only using Bowtie connectivity between PA3410 and Cisco ISR4431

br8523 — Tue, 25 Jun 2024 15:44:18 GMT

Tom,

Thanks for the insight. I'm going to review what you recommended and look into the points relating to your recommendations. I'll respond more later here after I bounce it around to the router guys on my team because I will be relying on their input as well. Thank you again for your response.

Re: Active/Passive HA L3 only using Bowtie connectivity between PA3410 and Cisco ISR4431

br8523 — Wed, 26 Jun 2024 07:22:32 GMT

Tom,

The current set up is Cisco ISR (Partner) to ASA (my customer). ASAs are an active/standby config.Currently we have a /29 for the Sprint and the AT&T side. We are moving from the ASAs to PA 3410s.
The partner router is 10.10.10.1/29 and the ASA is 10.10.10.2/29 (with a standby IP of 10.10.10.3/29 on the Sprint circuit).

The AT&T circuit side is 10.10.10.9/29 on the partner router and 10.10.10.10/29 on the ASA with a standby of 10.10.10.11/29 for the standby IP.

Current partner network is 192.168.1.0/23 & 192.168.3.0/23 and both partner networks are reachable through either circuit depending on the active data center on the partner side. Sprint circuit is preferred. Partner has their ISR routers in my customer's data center going back to their data centers via MPLS. We static route both of the partner networks as follows:
192.168.1.0/23 & 192.168.3.0/23 via 10.10.10.1 metric of 1 to Sprint path.
192.168.1.0/23 & 192.168.3.0/23 via 10.10.10.9 metric of 5 to AT&T path.

I want to use a dynamic routing protocol preferably BGP to cover routing in the new setup. The firewalls being in active/standby Firewall 1 being the nominal active would share the IP of 10.10.10.3 with the standby firewall if it fails over for instance. I have attached my draft diagram if you want to review it. This is very rough and if we run BGP we would have to filter on the Palo Altos to keep any potential overlap out of the system.