topic Connecting a Tier 1 firewall pair to a Tier 2 firewall pair without a switch in General Topics

Connecting a Tier 1 firewall pair to a Tier 2 firewall pair without a switch

afiq — Tue, 07 Aug 2012 19:25:03 GMT

Internet

Tier 1 FW

Tier 2 FW (Palo Alto Firewall) in Active/Passive mode

Core Switch (HA)

Hi,

Can I connect a pair of Tier 2 firewalls (A/P HA) to a Tier 1 firewall pair (A/P HA) without using a switch(s) in between? there will be 2 UTP from each T1 firewall - 1 to each Palo Alto Firewall.

the main reason is that there's no available switches for the network.

technically will this work? is there any impact to the cluster?

Re: Connecting a Tier 1 firewall pair to a Tier 2 firewall pair without a switch

afiq — Wed, 08 Aug 2012 01:05:23 GMT

anyone having similar running setup in their datacenter?

Re: Connecting a Tier 1 firewall pair to a Tier 2 firewall pair without a switch

panman — Wed, 08 Aug 2012 03:05:37 GMT

I assume when you say UTP, you mean that both active and passive Tier 2 Palo firewalls will each have a ethernet uplink (CAT5e) to the Tier 1 firewalls?

In order for this to work, the uplinks of the Active/Passive Tier 2 firewall cluster which would be placed downstream of the Tier 1 firewall cluster would need to be connected to layer 2 ports which share the same state table on the corresponding upstream Tier 1 firewall (that is....the same ARP and MAC table).

This would be required for HA transition to operate on the Tier 2 firewalls.

I guess it depends on what kind of firewalls the Tier 1 are it may work...if you have Cisco ASAs for example, you might be able to use two layer 2 switch ports to uplink to the Tier 2 firewalls. Or other vendor firewalls might let you put those ports into some kind of layer 2, pass-through mode.

No guarantees here without lab testing though...this is theoretical.

Re: Connecting a Tier 1 firewall pair to a Tier 2 firewall pair without a switch

mikand — Mon, 20 Aug 2012 22:06:34 GMT

There are docs in the documentation area on how to setup two ISP's at once - this would be similar setup (see TFW1 as "ISP1" and TFW2 as "ISP2").

The PA cluster must "ping" each uplink to determine which way is functional.

However in order for this to work without switches in between you need to do a manual full-mesh.

Meaning PA1 is connected with one (or more) wires to TFW1 and with one (or more) wires to TFW2. Where PA2 have the same setup - otherwise you might end up with PA1 is dead so PA2 became active but TFW1 is still active and TFW2 is passive.

As already mentioned you wont need this full-mesh if the passive unit of TFW cluster acts as a L2-device (similar to how HSRP/VRRP works).

Another method is to setup PA as active-active cluster or two single boxes (however the later will most likely demand some sort of loadbalancing before the PA cluster so a specific client will use a specific PA on its way out in order to keep logs in a sane way but also for the appid and flows and stuff in PA to work properly).

You could also use PA-cluster as VWIRE (without active/passive failover) to avoid routing/pbf headache 🙂