https://live.paloaltonetworks.com/t5/general-topics/firewall-interface-high-availablity/m-p/241578#M69174 <P>You could set up Palo interfaces in Layer 2 mode.</P><P>But check spanning tree settings so that it would block link between switches that goes through Palo and not between core switches <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 29 Nov 2018 14:21:34 GMT Raido_Rattameister 2018-11-29T14:21:34Z https://live.paloaltonetworks.com/t5/general-topics/firewall-interface-high-availablity/m-p/241543#M69170 <P>Hi All,</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pa-220-ha.png" style="width: 545px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17740i4B1B6B504D441497/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="pa-220-ha.png" alt="pa-220-ha.png" /></span></P><P>In my scenario, i have single PA-220 for guest access.&nbsp; In trusted zone i would like to keep the interface lelvel (active/standby) high availablity.Interface type as L2.&nbsp; I couldn't do aggregate interface since it's connected to two seperate switches.</P><P>&nbsp;</P><P>How we can achieve this.??&nbsp;</P><P>&nbsp;</P><P>Thanks in Advance..</P> Thu, 29 Nov 2018 08:08:57 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-interface-high-availablity/m-p/241543#M69170 gpsriram 2018-11-29T08:08:57Z https://live.paloaltonetworks.com/t5/general-topics/firewall-interface-high-availablity/m-p/241578#M69174 <P>You could set up Palo interfaces in Layer 2 mode.</P><P>But check spanning tree settings so that it would block link between switches that goes through Palo and not between core switches <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 29 Nov 2018 14:21:34 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-interface-high-availablity/m-p/241578#M69174 Raido_Rattameister 2018-11-29T14:21:34Z https://live.paloaltonetworks.com/t5/general-topics/firewall-interface-high-availablity/m-p/241582#M69178 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;wrote:<BR /><P>You could set up Palo interfaces in Layer 2 mode.</P><P>But check spanning tree settings so that it would block link between switches that goes through Palo and not between core switches <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><HR /></BLOCKQUOTE><P>I did this exact setup for a 220 HA pair.&nbsp; With a 3750 stack.&nbsp; I actually ended up using port-channels though on the internal and external interfaces.&nbsp; This got me device redundancy&nbsp;on both the firewall and switch side.</P><P>&nbsp;</P><P>But like&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a>&nbsp;mentioned.&nbsp; an access vlan config to each switch should work just fine.</P> Thu, 29 Nov 2018 14:41:49 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-interface-high-availablity/m-p/241582#M69178 Brandon_Wertz 2018-11-29T14:41:49Z