topic Re: is Cluster possible? in General Topics

is Cluster possible?

SantiagoFosco — Fri, 29 Mar 2019 13:38:08 GMT

Hi all,

is quick question on above statement. is it possible to configure clusters with Palo Alto?

I do not mean Active/Standby or Active/Active

I was not able to find any documentation on this. if this is possible, could someone point me in this direction please?

I want luck with Google/ KB site.

thanks in advance

Re: is Cluster possible?

Raido_Rattameister — Mon, 01 Apr 2019 13:59:44 GMT

If you don't mean Active/Standby or Active/Active then what do you mean exactly?

Re: is Cluster possible?

ScottF — Mon, 01 Apr 2019 22:28:03 GMT

I'm assuming you are talking about a cluster in which both Palos share the same IP and both operate in an active/active fashion. As many of you know when running in Active/Active, you actually have 2 IPs representing each virtual firewall group. Half of your systems' gateways are configured for 1 IP and the other half to the other IP. A true cluster would represent both firewalls by sharing a single IP and process traffic on both firewalls. There are some inbedded technologies on systems that do this, but nothing I've heard on the Palos. The only way I know of on how to do this is with the use of a load balanacer that sits in front and/or back of the firewalls. The load balancer has the VIP or single IP and then routes to one of the firewall IPs that is running active/active. The problem with this solution is that it is not fully redundant. If you run in this fashion, you could have 75% on one firewall and 75% usage on the other. If one firewall dies, then you would have 150% usage on one firewall (good luck with that) and you'll DoS your traffic and blow up the firewall in the process. This is known as running in capacitive mode and not redundancy mode. Granted you are running in high-availability, just not fully redundant. This is why so many people run active/passive. You are truely running N+1 in redundant mode as opposed to N+1/2 or something like that in capacitive mode.

There are articles on configuring load balancers to provide you the psuedo clustering you are looking for. Good luck!

https://www.a10networks.com/resources/deployment-guides/a10-networkspalo-alto-networks-joint-firewall-load-balancing-solution

Re: is Cluster possible?

Raido_Rattameister — Tue, 02 Apr 2019 13:34:43 GMT

@ScottF Palo active/active can be configured both ways - either have their own IP or they can reply to arp requests with their own MAC address but use same IP. In this case all clients have same gateway IP but some will get arp reply from one active node and others from other.

Re: is Cluster possible?

Shadow — Tue, 02 Apr 2019 14:19:54 GMT

Both, thank you for the response.

what I meant by cluster, you have two clusters, 1-active the other standby

on active cluster you have minimum of 2x devices which are active, and the same amount of devices on the standby cluster

all traffic see as the Active cluster as primary.

all active devices in the primary(active)cluster, their standby is on the standby cluster.

this design is used for very sensitive traffic, example forex market, where milliseconds count.

anyway thanks, radio/ScottF, will check the link too with load balance(but that's not the design I am after)

Re: is Cluster possible?

Raido_Rattameister — Tue, 02 Apr 2019 14:44:31 GMT

Palo cluster can have 2 devices. Have to be identical model.

Both can be active (usually not suggested) or active/passive.

You can't have more than 2 devices in one cluster.

Re: is Cluster possible?

Brandon_Wertz — Tue, 02 Apr 2019 15:38:30 GMT

@Shadow wrote:
Both, thank you for the response.
what I meant by cluster, you have two clusters, 1-active the other standby

on active cluster you have minimum of 2x devices which are active, and the same amount of devices on the standby cluster

all traffic see as the Active cluster as primary.
all active devices in the primary(active)cluster, their standby is on the standby cluster.
this design is used for very sensitive traffic, example forex market, where milliseconds count.

anyway thanks, radio/ScottF, will check the link too with load balance(but that's not the design I am after)

Like what @ScottF already mentioned what you're wanting to do is essentially "front end" your "FW service" with a load balancer that validates if the 2 pairs of FW environments are functional and routing traffic to each service appropriately.

As you mentioned forex, it seems you'd be better off looking for hardware built for that space.