Active/active ha config

Reply
Highlighted
L3 Networker

Active/active ha config

Hi All,

my req:

isp 1 4mbps(untrust) ->pa 500a->(trust)cisco switch l3a->

isp 2 4mbps(untrust)->pa 500b->(trust)cisco  switch l3b->    same web servers but using  isp 1 &2 public ip's(redundancy purpose) to do static s-nat for web servers

external users should use both isp to reach web servers in active/active ha mode->load share/balance..

my config doubts:

trust l3 ips connected to cisco switch should be different..right?

dns servers for both isp's are different..so i changed default 4.2.2.2/8.8.8.8 to isp dns servers..right?

web servers should be exposed to external users-so configured s-nat static and tick bi-directional..right?

Please suggest best and simple practise to this requirement and confirm me whether above steps are right?

how to do ha active/active..please tell me procedure..

L5 Sessionator

Re: Active/active ha config

Hello Javith,

external users should use both isp to reach web servers in active/active ha mode->load share/balance..

For above sentence we donot support load balance.


trust l3 ips connected to cisco switch should be different..right?---> Yes

dns servers for both isp's are different..so i changed default 4.2.2.2/8.8.8.8 to isp dns servers..right?----> optional

web servers should be exposed to external users-so configured s-nat static and tick bi-directional..right?----> Yes

For better practice on configuring HA Active/Active please follow below document.

Configuring Active/Active HA PAN-OS 4.0

The above document is similar in PANOS-4.1 and 5.0 as well.

Regards,

Hari

L7 Applicator

Re: Active/active ha config

In your design, I don't think you need Active/Active but would be better served using a simpler and more standard Active/Passive design.  Active/Active use cases are typically one of two:

Asymmetrical routing occurs so both paths need to have active firewalls

There are two alternate paths that need to have active routing protocols peers through the firewall so the interfaces cannot be passive down

Neither apply in your design needs.

Another consideration is your fail over scenarios are more limited if you directly connect the two ISP feeds to the two firewalls.  This means each ISP depends on that particular firewall being active and the reverse as well.  In other words, a single failure on either ISP or firewall forces a second failure with the directly attached partner.  ISP A fails then firewall A also cannot route out to the internet.

Better practice would be to create two ISP layer 2 vlans on a switch with three ports each.

Port 1- ISP router

port 2 - firewall A

port 3 - firewall B

Now both firewalls have access to both ISP feeds.  Any ISP or firewall can fail and that single failure will only affect that item not any other.

You can configure dual ISP on the primary firewall.  Then create an Active/Passive pair to cover the failure scenario.

You may find these dual ISP documents helpful.

How to Create Inbound NAT to a Single Server with 2 ISPs

Dual ISP Branch Office Configuration

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!