https://live.paloaltonetworks.com/t5/general-topics/active-standby-network-design-and-usage-as-network-gateway/m-p/241504#M69155 <P>Hello,</P><P>So yes to the first paragraph. And yes to keeping the interfaces in a shutdown state on the standby unit. I run A/S and dont have issues, I also run OSPF and it doesnt really mind much since the S has the sessions in it. I think last time I failed them over I maybe lost 1-2 pings. This is usually quick enough for dynamic routing since the timers are usually longer than that.</P><P>&nbsp;</P><P>As for using the PAN as a L3 Vlan interface, I also do this since I can then segregate the traffic and get closer to a Zero Trust model. One thing I do is have one zone and carve it up into smaller subnets so that I dont run out of zones.</P><P>i.e.&nbsp;</P><P>zone ZeroTrust</P><P>IP subnets 192.168.0.0/24 then carve them up into /29's. Since I have a DENY ALL policy, the intra zone traffic doesnt take affect and the traffic has to be allowed between two subnets in the same zone.</P><P>&nbsp;</P><P>Hope that makes sense.</P> Wed, 28 Nov 2018 20:51:00 GMT OtakarKlier 2018-11-28T20:51:00Z https://live.paloaltonetworks.com/t5/general-topics/active-standby-network-design-and-usage-as-network-gateway/m-p/241498#M69154 <P>I have some questions on the Active/Standby deployment model.&nbsp; Right now I'm on A/A which requires all network config between the two units to be different since they're both active at the same time.&nbsp; From looking at the documentation, it looks like in an A/S model the network config between the two units is identical which includes all of the same IP addresses on subinterfaces, virtual routers, etc.&nbsp; Is this correct?</P><P>&nbsp;</P><P>If so, does the standby simply keep its interfaces shut while not active?&nbsp; During a failover scenario, does the switchover happen fast enough that dynamic routing protocols to not notice and therefore not require reconvergence?</P><P>&nbsp;</P><P>I'm aslo wondering if anyone uses their firewalls for the L3 network gateways for any of their VLANs?&nbsp; I was considering setting up subinterfaces and maybe using them for our DC networks so that the firewall could more directly dictate for each server what it can and not have access to without doing ACLs on a Cisco switch or router.&nbsp; Alternatively, I'd probably use Policy Based Routing to push the traffic from the network's gateway to the firewall.</P> Wed, 28 Nov 2018 20:41:58 GMT https://live.paloaltonetworks.com/t5/general-topics/active-standby-network-design-and-usage-as-network-gateway/m-p/241498#M69154 jsalmans 2018-11-28T20:41:58Z https://live.paloaltonetworks.com/t5/general-topics/active-standby-network-design-and-usage-as-network-gateway/m-p/241504#M69155 <P>Hello,</P><P>So yes to the first paragraph. And yes to keeping the interfaces in a shutdown state on the standby unit. I run A/S and dont have issues, I also run OSPF and it doesnt really mind much since the S has the sessions in it. I think last time I failed them over I maybe lost 1-2 pings. This is usually quick enough for dynamic routing since the timers are usually longer than that.</P><P>&nbsp;</P><P>As for using the PAN as a L3 Vlan interface, I also do this since I can then segregate the traffic and get closer to a Zero Trust model. One thing I do is have one zone and carve it up into smaller subnets so that I dont run out of zones.</P><P>i.e.&nbsp;</P><P>zone ZeroTrust</P><P>IP subnets 192.168.0.0/24 then carve them up into /29's. Since I have a DENY ALL policy, the intra zone traffic doesnt take affect and the traffic has to be allowed between two subnets in the same zone.</P><P>&nbsp;</P><P>Hope that makes sense.</P> Wed, 28 Nov 2018 20:51:00 GMT https://live.paloaltonetworks.com/t5/general-topics/active-standby-network-design-and-usage-as-network-gateway/m-p/241504#M69155 OtakarKlier 2018-11-28T20:51:00Z https://live.paloaltonetworks.com/t5/general-topics/active-standby-network-design-and-usage-as-network-gateway/m-p/241507#M69157 <P>I use auto not shutdown.</P><P>In this case port is active it just drops any incoming packets.</P><P>Benefit is faster failover.</P><P><A title="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcACAS" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcACAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcACAS</A></P> Wed, 28 Nov 2018 21:04:05 GMT https://live.paloaltonetworks.com/t5/general-topics/active-standby-network-design-and-usage-as-network-gateway/m-p/241507#M69157 Raido_Rattameister 2018-11-28T21:04:05Z