Acitve Passive with different Uplink IP address.

Reply
L4 Transporter

Acitve Passive with different Uplink IP address.

 

We have two firerwalls at different locations conencted to different vendors via different ISP.

 

I it possible to have uplink to vendor with same ISP but different IP address in active and passive setup?

L7 Applicator

Re: Acitve Passive with different Uplink IP address.

Hello,

Yes this is possible, however remember that the passive device is (not active) so both ISP's will need to plug into both PAN's. Routing can be acheived via PBF or static routing.

 

Regards,

L4 Transporter

Re: Acitve Passive with different Uplink IP address.

As PA share the ip addresses in HA but with  with different uplink  on passive PA  how will failover  work?

 

 

L4 Transporter

Re: Acitve Passive with different Uplink IP address.

anyone can tell me if this is possible to accomplish?

L7 Applicator

Re: Acitve Passive with different Uplink IP address.

Are the firewalls managed by panorama?

L4 Transporter

Re: Acitve Passive with different Uplink IP address.

yes they are

L7 Applicator

Re: Acitve Passive with different Uplink IP address.

I haven't try this so far, but technically it should be possible ... also with some limitations probably.

With panorama you are able to configure the devices of this a/p cluster independently (use template variables to be able to still configure as much as possible only once). Even if you configure different networks/interfaces for the two devices you can configure the same policy in one device group. Depending on the actual network configuration you can even use one NAT rule for the internet access. Here is also a limitation I can imagine: I don't know if the session sync properly works in an a/p cluster when there are different hide NAT addresses.

L6 Presenter

Re: Acitve Passive with different Uplink IP address.

The best way to do this is to place your ISP connections outside of your FW environment into a L2 Switch above.  Then connect your FWs into that switch.  You can utilize VLANs to make connectivity more seamless.

L7 Applicator

Re: Acitve Passive with different Uplink IP address.


@Brandon_Wertz wrote:

The best way to do this is to place your ISP connections outside of your FW environment into a L2 Switch above.  Then connect your FWs into that switch.  You can utilize VLANs to make connectivity more seamless.


The description of @MP18 sounds like there is no possibility of spanning the L2 VLANs across the locations. But if there is the possibility for that then @MP18 you should definately consider the input of @Brandon_Wertz 

L4 Transporter

Re: Acitve Passive with different Uplink IP address.

Another option - 

 

You could simply run them independently and have them both advertise the default route into whatever dynamic routing protocol you are using.  Site-A would prefer FW-A (closest to it) and Site-B would prefer FW-B (closest to it).  This would cause sessions to have to be reinitialized in the event that one of the FW goes down for whatever reason. If you are providing any inbound services, you would need something like an F5 and GSLB to use DNS to move traffic away from a downed FW.

 

It sounds like L2 connectivity between sites is a no go?  If not, you could also consider Active/Active which would handle asynchronous routing and allow for both ISPs to be utilized like above, but with state mantained.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!