topic Re: Active Active HA on PAN 4.x in General Topics

Active Active HA on PAN 4.x

willstech — Tue, 29 Mar 2011 09:59:58 GMT

PAN 4.x is supporting Active-Active High availability.

Clearly, most firewalls also support Active-Active HA but, they need Layer-4 switch to get full performance.

In other words, most of firewalls also support Active-Active, but it is in name only in the real network world without Layer-4 switch.

How about Paloalto on Active-Active? PAN also need Layer-4 switch?

What is the best way to deploy Active-Active HA?

Could you tell me that how it works, if don't need layer-4 switch?

I’m looking for smart answers.

Thanks,

Eugene.

Re: Active Active HA on PAN 4.x

reaper — Tue, 29 Mar 2011 12:36:59 GMT

Hi Eugene

This document may prove helpfull: https://live.paloaltonetworks.com/docs/DOC-1756

Page 7 describes our behavior in vwire, pages 8 and 9 our layer 3 behavior.

Basically, for vwire you will need layer 3 devices as we act as a wire. In L3 we support 2 modes of operation: Floating IP and ARP load sharing.

Floating IP assigns a/multiple VIP per gateway and these can be used by hosts in the network as gateway

In case of failover the VMAC to this VIP is transported to the other peer via gratuitous ARP

In ARP load sharing a VIP is shared among the HA peers, but each with their individual VMAC.

The device that responds to the ARP request is determined by computing a hash or modulo of the source IP address of the ARP request.

In case of failover the VMAC is transported to the remaining peer via gratuitous ARP.

regards

Re: Active Active HA on PAN 4.x

reaper — Tue, 29 Mar 2011 16:12:55 GMT

small correction:

In floating IP each device has a unique VMAC and in case of failover the VIP is moved to the active peer's VMAC using gratuitous ARPs sent out from the active member, the VMAC itself does not move

Re: Active Active HA on PAN 4.x

willstech — Wed, 30 Mar 2011 12:23:08 GMT

Thanks for your answer.

i'm sorry because short of english.

So It seem to be that my question has not delivered correctly.

What i want is not general concept of PAN's Active Active HA.

directly speaking....

What is difference between juniper Active-Active HA and Palo Alto Active-Active HA without L4 switch?

The very important thing for Active-Active HA is that there is no Layer 4 switch.
without Layer 4 switch!!

Juniper is divided internally when deploy Active-Active HA like attached diagram.

Each firewall needs many routing path to make an active-active HA and, If network complex, it needs lots of routing.

One of another issue is performance.

PAN is very similar with Juniper. So I’d like to know whether PAN has same issue with juniper on Active-Active.

i think you may know much of problem of Juniper on Active Active HA.

Please let me know what kind of issue PAN has from Active-Active HA.

Also let me know what are the very important things to deploy active-active HA.

Thanks,

Eugene.

Re: Active Active HA on PAN 4.x

willstech — Mon, 04 Apr 2011 07:15:26 GMT

Hi all.

anybody doesn't explain me about my quesiton??

I'm wanting for answer.

Regards,

Eugene

Re: Active Active HA on PAN 4.x

kbrazil — Mon, 04 Apr 2011 17:48:16 GMT

Hi Eugene,

I believe your question was answered above with ARP Load Sharing. This does not require an L4 switch as it shares the load between the active units automatically. This really only works well with directly connected hosts initiating traffic outbound.

The intention for Active/Active HA is not to share the load for higher performance but to address asymmetric routing scenarios. The directly connected HA3 links in the cluster will make sure traffic is correctly forwarded in cases where the traffic was delivered to the wrong firewall.

You may need to have a further discussion with your local SE to get more information on how to design and configure an Active/Active cluster if you find that design is really necessary. Try to stick with an Active/Passive design, if possible, as it is much more simple to design, config, and troubleshoot.

Cheers,

Kelly

Re: Active Active HA on PAN 4.x

willstech — Thu, 07 Apr 2011 05:25:11 GMT

Hi kelly.

Thank for your answer.

i've got answer from you against most of my quesitons.

Thanks.

Eugene.