topic Re: topology in General Topics

topology

sib2017 — Sat, 28 Jan 2017 07:38:18 GMT

Hi,

I have the below topology .

Planning to put PA in vwire mode in betweent the asa and core in active standby.

If r1 fails and asa1 is active and asa2 is standby ,asa2 will become active .

. Lets say pa1 is active and pa2 is standby .

When asa changes active standby order ,is it possible pa changes the same order as asa do .

Or what is the pros and cons in this design

Thanks

Re: topology

Kashif.Kamal — Sat, 28 Jan 2017 12:37:16 GMT

Hi,

You can track the ASA-1 interfaces on PA-1, so when the ASA-1 failover it should shut down its interfaces connecting to PA-1 once the interfaces are down and you are tracking the Link monitoring in the PA-1. Then PA-1 will trigger the HA and if you have enabled the preempt on the PA-1 once the ASA-1 is back active the PA's will swap their roles.

Re: topology

sib2017 — Sun, 05 Feb 2017 08:48:51 GMT

Hi,

Is there a good design other than this

Thanks

Re: topology

RichColeman — Mon, 06 Feb 2017 13:52:41 GMT

Apart from totally removing the ASA's, monitoring the path/link from the Palo's to ASA is about as good as it gets. Whats the business case for having the ASA's? if your just doing layer 1-4 on the ASA its pointless them being there.

Re: topology

reaper — Mon, 06 Feb 2017 14:06:25 GMT

you could create portchannels so the ASA's can fail over all they want without interfering with the Palo Alto Networks Firewall Cluster

with this design and the PANW in AP, one member of the aggregate will always be down and simply switch if one of the PANW were to fail, if the ASA fails, the second Aggregate will kick in (controlled by the switch and ASA) and the active PANW can remain active

Re: topology

BPry — Mon, 06 Feb 2017 19:52:47 GMT

I would follow the order that @reaper laid out; that would give you true redundancy and you don't at any one point in time have a single point of failure on your firewalls. The way that you are describing would work fine, but the thing to keep in mind is that while you technicially have a backup, you are counting on that PAN to funciton during the outage. If you lose that PAN for some reason at the same time you lost the router your network sounds like it's still going to go down.

Re: topology

pulukas — Wed, 08 Feb 2017 23:45:26 GMT

Another option in this scenario is to make the PA cluster Active/Active instead of Active/Passive. This way no matter what combination of device failures occur on either side you still have a traffic path with the PA devices. and you don't need to track anything for failures.

Re: topology

sib2017 — Thu, 09 Feb 2017 15:30:48 GMT

Hi,

You mean the port channel between core and asa ?

It means one of the link will go through PA1 and another link PA2 ( eg: red)

Thanks

Re: topology

reaper — Thu, 09 Feb 2017 16:25:35 GMT

yes that's right, that way if ASA1 fails, PA1 does not need to fail: the portchannel will smply switch to the second link

also if PA1 fails, ASA1 does not need to fail