https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22746#M16629 <HTML><HEAD></HEAD><BODY><P>Hi Shanon,</P><P></P><P>1. Another passive Member - Is not possible.</P><P>2. If both units goes down then it turns active - It is not possible.</P><P>3. Basically it should do routing if both the boxes fail - This is possible.</P><P></P><P>You will have to configure something like IP monitor on Internet CPE router. If both the units are down than send traffic to third unit.</P><P></P><P>This third unit is independent of HA cluster.</P><P></P><P>Let me know if you have additional query on this.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 07 Oct 2014 22:09:15 GMT hshah 2014-10-07T22:09:15Z https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22739#M16622 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We have a customer looking to extend their DR capability to a 2nd physical site (Site B).</P><P></P><P>Currently they have 2 PAN 3050 firewalls in an A/P cluster at Site A. As the new site will be connected via fibre we will split the cluster across both sites.</P><P></P><P>Site B will very much be a cold standby site with no production load under normal conditions. </P><P></P><P>We would like to still maintain PAN device redundancy at Site A.</P><P></P><UL><LI>Is it possible to leave the existing cluster as is at Site A, and add a 3rd unit to the cluster at Site B? </LI><LI>How would this be achieved (using spare ports on the dataplane)? </LI><LI>Is it recommended/not recommended?</LI><LI>What other considerations should we be aware of?</LI><LI>How would this impact on "split brain" type scenarios of the link between the sites was lost?</LI></UL><P></P><P>Appreciate any answers, feedback and personal experience in this type of scenario.</P><P></P><P>Cheers,</P><P>Shannon</P></BODY></HTML> Tue, 07 Oct 2014 19:20:03 GMT https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22739#M16622 Shannon-Rowe 2014-10-07T19:20:03Z https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22740#M16623 <HTML><HEAD></HEAD><BODY><P>Hi Shannon,</P><P></P><P>This is currently not supported but we do have a feature request for it. You can mention FR 1043 to your sales/system engineer. He/She can vote on your behalf. Hope this helps. Thank you.</P></BODY></HTML> Tue, 07 Oct 2014 19:22:37 GMT https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22740#M16623 ssharma 2014-10-07T19:22:37Z https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22741#M16624 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/29561">Shannon-Rowe</A> </P><P></P><P>I don't think you cannot have three units as a part of cluster.</P><P></P><P>I will suggest running OSPF with the route SiteB as a lower metric, so in case SiteA goes down it fails over to SIteB</P><P></P><P>Hope it helps !</P></BODY></HTML> Tue, 07 Oct 2014 19:24:32 GMT https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22741#M16624 bat 2014-10-07T19:24:32Z https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22742#M16625 <HTML><HEAD></HEAD><BODY><P>Hi Shannon,</P><P></P><P>As Samir suggest as of now its not possible to add third unit in HA.</P><P></P><P>Would it be possible to provide us rough network dia. That way we might be able to suggest any other work around.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 07 Oct 2014 19:26:16 GMT https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22742#M16625 hshah 2014-10-07T19:26:16Z https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22743#M16626 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for your answers. A very high level, sanitized diagram below. Ideally we would have 2 units at the production datacentre.</P><P></P><P>Is it possible to have an independent unit at the standby unit, and somehow script regular config restores to the standby datacentre; this would also require having all dataplane interfaces shutdown, and could get messy, I realise, just want to explore all options.</P><P></P><P>Thanks,</P><P>Shannon</P><P><IMG alt="DR Diagrams v0.2.jpg" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/16110_DR Diagrams v0.2.jpg" style="height: 380px; width: 620px;" /></P></BODY></HTML> Tue, 07 Oct 2014 19:41:38 GMT https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22743#M16626 Shannon-Rowe 2014-10-07T19:41:38Z https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22744#M16627 <HTML><HEAD></HEAD><BODY><P>Hi Shannon,</P><P></P><P>How would you use one more firewall in "standby Data center".</P><P>1. What routing functinoality it will do?</P><P>2. When it should be active?</P><P>3. What traffic it will pass.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 07 Oct 2014 20:11:53 GMT https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22744#M16627 hshah 2014-10-07T20:11:53Z https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22745#M16628 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">1. What routing functionality it will do? - The intent would be for it to be another passive member of the cluster</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">2. When it should be active? - if both units at the production unit were to fail, or the production facility were to be completely compromised</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">3. What traffic it will pass. - only HA sync traffic. in conjunction with the ISP and BGP routing (not on the PAN), network border IP addressing would be assumed in the event of #2 being realized.</P></BODY></HTML> Tue, 07 Oct 2014 21:08:17 GMT https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22745#M16628 Shannon-Rowe 2014-10-07T21:08:17Z https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22746#M16629 <HTML><HEAD></HEAD><BODY><P>Hi Shanon,</P><P></P><P>1. Another passive Member - Is not possible.</P><P>2. If both units goes down then it turns active - It is not possible.</P><P>3. Basically it should do routing if both the boxes fail - This is possible.</P><P></P><P>You will have to configure something like IP monitor on Internet CPE router. If both the units are down than send traffic to third unit.</P><P></P><P>This third unit is independent of HA cluster.</P><P></P><P>Let me know if you have additional query on this.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 07 Oct 2014 22:09:15 GMT https://live.paloaltonetworks.com/t5/general-topics/a-p-ha-with-more-than-1-passive-unit/m-p/22746#M16629 hshah 2014-10-07T22:09:15Z