topic Re: Active Active High Availability in General Topics

Active Active High Availability

Mohammedraza — Tue, 22 Jun 2021 15:57:27 GMT

Hello Group,

I have done migration from Cisco ASA Firewalls to Palo Alto Firewalls.

In Cisco ASA Firewalls, I was using multi-context (there were two contexts, Context-A and Context-B). Context A was active on Firewall-1 and Context-B was active on Firewall-2. Once Firewall-1 goes down, Firewall-2 will be active for both Context-A and Context-B.

I have studied High Availability documentation for Palo Alto Firewalls, from what i have studied i dont think it is possible to load balance the traffic in this way. I have created two vsys, (vsys-A and vsys-B). I want vsys-A to be active on Firewall-1 and vsys-B to be active on Firewall-2. Vsys-A should get active on Firewall-2 only in case Firewall-1 goes down and once Firewall-1 gets back live again then Vsys-A should be switched to Firewall-1. Similarly for Vsys-B.

There are four different use cases for Active Active High Availability but i think none of these matches my requirement.

1. Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
2. Active/Active HA with Floating IP Addresses
3. Active/Active HA with Route-Based Redundancy
4. Active/Active HA with ARP Load-Sharing

Please if anyone can give feedback on this.

Re: Active Active High Availability

reaper — Wed, 23 Jun 2021 21:21:02 GMT

High Availability in Palo Alto is all about redundancy and not about load sharing/balancing

All config will always be active on both members

(for loadbalancing you should use external loadbalancers and HA4)

what comes closest to your config is floating IP with lower priorities on primary or secondary to make IP's "stick" to one peer until that peer goes down. this way you can control which member owns the IP, so in essence where the vsys and other config is utilised

Re: Active Active High Availability

Mohammedraza — Thu, 24 Jun 2021 12:35:17 GMT

Thank you for your reply! Actually this is what I tried to do on my two firewalls to support above scenario. But its not working in that way.

There are 10 subnets, i want 5 subnets of Vsys-A to go to Firewall-1 and want 5 subnets of vsys-B to go to Firewall-2.
If Firewall-1 fails then all 10 subnets of vsys-A and B to go to Firewall-2.
If firewall-2 fails then all 10 subnets of vsys-A and B to go to Firewall-1.
Vsys-A
10.11.1.0/24
10.11.2.0/24
10.11.3.0/24
10.11.4.0/24
10.11.5.0/24

Vsys-B
10.11.6.0/24
10.11.7.0/24
10.11.8.0/24
10.11.9.0/24
10.11.10.0/24

To support my above configuration, I went to Device -> High Availability -> Active/Active Config -> Virtual Addresses.
I defined 10 Floating Addresses here (default gateways for the 10 subnets). 10.11.x.254

1. 10.11.1.254, 10.11.2.254, 10.11.3.254, 10.11.4.254, 10.11.5.254
Type Floating
Device 0: 100
Device 1: 150

2. 10.11.6.254, 10.11.7.254, 10.11.8.254, 10.11.9.254, 10.11.10.254
Type Floating
Device 0: 150
Device 1: 100

Re: Active Active High Availability

reaper — Thu, 24 Jun 2021 12:38:18 GMT

In ha3 config you also need to set session owner etc. to "first packet" for this to work smoothly