topic Re: Active/passive vs active/active recommendations in General Topics

Active/passive vs active/active recommendations

jorgebarba — Tue, 01 Oct 2019 08:26:21 GMT

Hello,

We are about to work on a Paloalto cluster deployment, which will be sitting next to the internet (we will have two separate providers) and we need to make the decision whether we configure it as A/A or A/P.

I keep reading in quite some places (forums and so) that A/P is Paloalto preferred way. That is also my first option, but I would like to have some official documentation to support that decision. Does anyone know where I can find such documentation from Paloalto, where they discuss A/P against A/A?

(I have been able to find the technical documentation of each of the cases, as well as their requirements, but not a specific discussion detailing kind of pros and cons of each of them).

Thanks a lot in advance

Jorge

Re: Active/passive vs active/active recommendations

RobinClayton — Tue, 01 Oct 2019 09:33:03 GMT

Not sure you will find any documented reasons but basically..

You don't gain much from A/A other than more throughput during normal running, but your not running N+1 so if one FW dies your under capacity. The added complexity also makes it far more difficult to implement successfully.

Hence a properly sized A/P N+1 is the recommended.

Re: Active/passive vs active/active recommendations

jeremy.larsen — Tue, 01 Oct 2019 13:34:22 GMT

Are you utilizing any dynamic routing protocols with you service providers (and internally)? You might want to consider A/A. What you will learn is this can be very beneficial but will require a lot of setup on you part with a good working knowledge of BGP/OSPF/etc.

No dynamic routing protocols on either side? Stick with A/P.

Re: Active/passive vs active/active recommendations

Brandon_Wertz — Tue, 01 Oct 2019 13:44:06 GMT

@jorgebarba wrote:
Hello,

We are about to work on a Paloalto cluster deployment, which will be sitting next to the internet (we will have two separate providers) and we need to make the decision whether we configure it as A/A or A/P
....
Thanks a lot in advance
Jorge

In our deployment we have 3 independent ISPs across 2 DCs and we run A/P. As others have stated an A/A deployment is primarily about throughput. If you become reliant upon that second firewall's throughput then when you upgrade or a failure occurs you're environment is now degraded in an A/P deployment you're at N+1 which makes for a much more stable environment.

Re: Active/passive vs active/active recommendations

jorgebarba — Tue, 01 Oct 2019 15:08:11 GMT

Thanks all for the replies.

@jeremy.larsen, indeed we will be running BGP to the internet and (most likely) OSPF internally. But the point is that I do not really see those benefits anyway, in setting the cluster up as A/A. Or say it other way, I do not see any potential benefit that would pay off the rather important increase in complexity (not that it is an issue itself, but it also would complicate any troubleshooting when the time comes, for the NOC and so).

Again, thanks all for providing your inputs. That's kind of what I am looking for, to gather a list of pros and cons of each of the two options, to make the final decision.

Jorge

Re: Active/passive vs active/active recommendations

jeremy.larsen — Tue, 01 Oct 2019 20:56:39 GMT

I've done both. A/A is definitely cool but requires a lot of planning and a deep understanding of what you are doing. If you want BGP to handle the failover for inbound services (ie: website, etc) then A/A is the way to go. Or you can drop HA and use Load Balancers to handle your firewalls and all the routing decisions. If you have something like an F5 handing failover using DNS and no IPs are getting moved between locations, then use good 'ole A/P and call it a day.

- Just my 2 cents

Re: Active/passive vs active/active recommendations

OtakarKlier — Wed, 02 Oct 2019 18:55:00 GMT

Hello,

The big thing to consider is asymentric routing. If you have the need then A/A, if not then A/P.

Regards,

Re: Active/passive vs active/active recommendations

jeremy.larsen — Thu, 03 Oct 2019 13:23:23 GMT

Agreed,

Sorry I didn't state this in my previous post.

Re: Active/passive vs active/active recommendations

jorgebarba — Wed, 09 Oct 2019 07:10:32 GMT

Thanks all again for your input.

In fact, I think I still opt more for the A/P solution but we will explore the two options in our particular environment and will decide.

Thanks!

Jorge