topic Re: Acitve Passive with different Uplink IP address. in General Topics

Acitve Passive with different Uplink IP address.

MP18 — Mon, 25 Mar 2019 17:10:30 GMT

We have two firerwalls at different locations conencted to different vendors via different ISP.

I it possible to have uplink to vendor with same ISP but different IP address in active and passive setup?

Re: Acitve Passive with different Uplink IP address.

OtakarKlier — Mon, 25 Mar 2019 21:24:53 GMT

Hello,

Yes this is possible, however remember that the passive device is (not active) so both ISP's will need to plug into both PAN's. Routing can be acheived via PBF or static routing.

Regards,

Re: Acitve Passive with different Uplink IP address.

MP18 — Mon, 25 Mar 2019 21:34:29 GMT

As PA share the ip addresses in HA but with with different uplink on passive PA how will failover work?

Re: Acitve Passive with different Uplink IP address.

MP18 — Sat, 06 Apr 2019 21:46:48 GMT

anyone can tell me if this is possible to accomplish?

Re: Acitve Passive with different Uplink IP address.

Remo — Sat, 06 Apr 2019 21:52:08 GMT

Are the firewalls managed by panorama?

Re: Acitve Passive with different Uplink IP address.

MP18 — Sat, 06 Apr 2019 22:16:11 GMT

yes they are

Re: Acitve Passive with different Uplink IP address.

Remo — Sat, 06 Apr 2019 22:24:43 GMT

I haven't try this so far, but technically it should be possible ... also with some limitations probably.

With panorama you are able to configure the devices of this a/p cluster independently (use template variables to be able to still configure as much as possible only once). Even if you configure different networks/interfaces for the two devices you can configure the same policy in one device group. Depending on the actual network configuration you can even use one NAT rule for the internet access. Here is also a limitation I can imagine: I don't know if the session sync properly works in an a/p cluster when there are different hide NAT addresses.

Re: Acitve Passive with different Uplink IP address.

Brandon_Wertz — Mon, 08 Apr 2019 13:52:07 GMT

The best way to do this is to place your ISP connections outside of your FW environment into a L2 Switch above. Then connect your FWs into that switch. You can utilize VLANs to make connectivity more seamless.

Re: Acitve Passive with different Uplink IP address.

Remo — Mon, 08 Apr 2019 17:13:21 GMT

@Brandon_Wertz wrote:
The best way to do this is to place your ISP connections outside of your FW environment into a L2 Switch above. Then connect your FWs into that switch. You can utilize VLANs to make connectivity more seamless.

The description of @MP18 sounds like there is no possibility of spanning the L2 VLANs across the locations. But if there is the possibility for that then @MP18 you should definately consider the input of @Brandon_Wertz

Re: Acitve Passive with different Uplink IP address.

jeremy.larsen — Mon, 08 Apr 2019 19:15:18 GMT

Another option -

You could simply run them independently and have them both advertise the default route into whatever dynamic routing protocol you are using. Site-A would prefer FW-A (closest to it) and Site-B would prefer FW-B (closest to it). This would cause sessions to have to be reinitialized in the event that one of the FW goes down for whatever reason. If you are providing any inbound services, you would need something like an F5 and GSLB to use DNS to move traffic away from a downed FW.

It sounds like L2 connectivity between sites is a no go? If not, you could also consider Active/Active which would handle asynchronous routing and allow for both ISPs to be utilized like above, but with state mantained.