https://live.paloaltonetworks.com/t5/general-topics/wan-interface-configuration-for-ha-active-passive/m-p/79174#M43184 <P>Pankaj,</P> <P>&nbsp;</P> <P>That's what I thought, but I tried moving the existing firewall to that setup, moved isp, and PA to switch on same vlan with access ports, and they wouldn't talk. &nbsp;Only had a brief downtime window last weekend to test so wasn't able to do much troubleshooting. &nbsp;This next weekend is the planned implementation for new pair so I'll try again, and have time to clear arp and track down any issues.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for the help everyone.</P> Mon, 06 Jun 2016 13:05:31 GMT travisj 2016-06-06T13:05:31Z https://live.paloaltonetworks.com/t5/general-topics/wan-interface-configuration-for-ha-active-passive/m-p/79103#M43151 <P>We are about to replace a single 2050 with an HA pair of 3050's. &nbsp; Having some trouble figuring out how to get the switch and Pa configured so I can share the single ISP connection with both firewalls.</P> <P>&nbsp;</P> <P>Current setup has interface 1/3 as L3 with the WAN ip address</P> <P>&nbsp;</P> <P>I was trying to minimize the changes to make (because 2050 is insanely slow to commit) so attempted using a new vlan 111 on our core switch, set it up on two ports in access mode (untag all) and tried moving the ISP router and the palo alto wan interface into the switch on those two ports.</P> <P>&nbsp;</P> <P>Am I going to need to change the wan interface on the palo alto to have a tagged sub interface on vlan 111 and move the wan IP addresses to it? &nbsp; Hopefully I'm just missing something simple.</P> <P>&nbsp;</P> <P>thanks,</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 04 Jun 2016 17:08:28 GMT https://live.paloaltonetworks.com/t5/general-topics/wan-interface-configuration-for-ha-active-passive/m-p/79103#M43151 travisj 2016-06-04T17:08:28Z https://live.paloaltonetworks.com/t5/general-topics/wan-interface-configuration-for-ha-active-passive/m-p/79105#M43153 <P>You should create subinterfaces on palo only if it connects to switch trunk port.</P> <P>If switch port is access then you don't use subinterfaces.</P> <P>If you set up HA then interface mac addresses will change and Palo will send graditious arp out only to notify interface ip change but not for DNAT ip addresses so you should be ready to clear switch arp cache.</P> Sat, 04 Jun 2016 19:34:29 GMT https://live.paloaltonetworks.com/t5/general-topics/wan-interface-configuration-for-ha-active-passive/m-p/79105#M43153 Raido_Rattameister 2016-06-04T19:34:29Z https://live.paloaltonetworks.com/t5/general-topics/wan-interface-configuration-for-ha-active-passive/m-p/79134#M43168 <P>You have to move ISP link to switch. On switch there should be three ports and these three ports should be part of same VLAN, access ports. One port for ISP, One for active firewall and one for passive firewall that's it.</P> Sun, 05 Jun 2016 13:39:17 GMT https://live.paloaltonetworks.com/t5/general-topics/wan-interface-configuration-for-ha-active-passive/m-p/79134#M43168 pankaku 2016-06-05T13:39:17Z https://live.paloaltonetworks.com/t5/general-topics/wan-interface-configuration-for-ha-active-passive/m-p/79174#M43184 <P>Pankaj,</P> <P>&nbsp;</P> <P>That's what I thought, but I tried moving the existing firewall to that setup, moved isp, and PA to switch on same vlan with access ports, and they wouldn't talk. &nbsp;Only had a brief downtime window last weekend to test so wasn't able to do much troubleshooting. &nbsp;This next weekend is the planned implementation for new pair so I'll try again, and have time to clear arp and track down any issues.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for the help everyone.</P> Mon, 06 Jun 2016 13:05:31 GMT https://live.paloaltonetworks.com/t5/general-topics/wan-interface-configuration-for-ha-active-passive/m-p/79174#M43184 travisj 2016-06-06T13:05:31Z