topic Re: Active/active ha config in General Topics

Active/active ha config

Javith — Wed, 09 Jul 2014 19:04:33 GMT

Hi All,

my req:

isp 1 4mbps(untrust) ->pa 500a->(trust)cisco switch l3a->

isp 2 4mbps(untrust)->pa 500b->(trust)cisco switch l3b-> same web servers but using isp 1 &2 public ip's(redundancy purpose) to do static s-nat for web servers

external users should use both isp to reach web servers in active/active ha mode->load share/balance..

my config doubts:

trust l3 ips connected to cisco switch should be different..right?

dns servers for both isp's are different..so i changed default 4.2.2.2/8.8.8.8 to isp dns servers..right?

web servers should be exposed to external users-so configured s-nat static and tick bi-directional..right?

Please suggest best and simple practise to this requirement and confirm me whether above steps are right?

how to do ha active/active..please tell me procedure..

Re: Active/active ha config

hyadavalli — Thu, 10 Jul 2014 14:23:58 GMT

Hello Javith,

external users should use both isp to reach web servers in active/active ha mode->load share/balance..

For above sentence we donot support load balance.

trust l3 ips connected to cisco switch should be different..right?---> Yes

dns servers for both isp's are different..so i changed default 4.2.2.2/8.8.8.8 to isp dns servers..right?----> optional

web servers should be exposed to external users-so configured s-nat static and tick bi-directional..right?----> Yes

For better practice on configuring HA Active/Active please follow below document.

Configuring Active/Active HA PAN-OS 4.0

The above document is similar in PANOS-4.1 and 5.0 as well.

Regards,

Hari

Re: Active/active ha config

pulukas — Thu, 10 Jul 2014 15:06:28 GMT

In your design, I don't think you need Active/Active but would be better served using a simpler and more standard Active/Passive design. Active/Active use cases are typically one of two:

Asymmetrical routing occurs so both paths need to have active firewalls

There are two alternate paths that need to have active routing protocols peers through the firewall so the interfaces cannot be passive down

Neither apply in your design needs.

Another consideration is your fail over scenarios are more limited if you directly connect the two ISP feeds to the two firewalls. This means each ISP depends on that particular firewall being active and the reverse as well. In other words, a single failure on either ISP or firewall forces a second failure with the directly attached partner. ISP A fails then firewall A also cannot route out to the internet.

Better practice would be to create two ISP layer 2 vlans on a switch with three ports each.

Port 1- ISP router

port 2 - firewall A

port 3 - firewall B

Now both firewalls have access to both ISP feeds. Any ISP or firewall can fail and that single failure will only affect that item not any other.

You can configure dual ISP on the primary firewall. Then create an Active/Passive pair to cover the failure scenario.

You may find these dual ISP documents helpful.

How to Create Inbound NAT to a Single Server with 2 ISPs

Dual ISP Branch Office Configuration