Dual ISP Branch Office with PA HA (2 PA with HA Configured

Reply
L1 Bithead

Dual ISP Branch Office with PA HA (2 PA with HA Configured

I see examples of using 2 ISPs with one PA. I also see that senario with Global Connect, Lad Balancing and IPSec Tunnels. However, I do not see where it states these types of senario's can be used in a PA-200 HA senario. Can anyone shead some light on using Dual ISP's with HA Palo Alto Firewalls.  I know the fail-over is different on the PA-200, for example no session sync. Thanks in Advance.  

L6 Presenter

Re: Dual ISP Branch Office with PA HA (2 PA with HA Configured

Hi...Yes, you can use those methods with 2 PAs in HA.  You just need to make sure the 2 PAs are connected to both ISPs using the same Ethernet ports so that when a failover occurs, the active PA can reach the 2 ISPs.  

Highlighted
L3 Networker

Re: Dual ISP Branch Office with PA HA (2 PA with HA Configured

If you are concerned about the Fail over part its a kind of stateless failover.

Means in case if one PA 200 went down there may be 4 to 6 pings packet drops but all the functionality will remain the same.

PA 200 HA--->>>  we call it as HA lite means there will not be immediate faiover and may take some time to establish the sessionsas i mentioned above.

In case of 3K,5K series  fail over you may see only 1 ping packet drop during a failover in the network

 

But Again there  wiil be no change in kind of  configurations and will reamin same  similar to the other boxes.

 

Hope that answers your question

Tarang

L7 Applicator

Re: Dual ISP Branch Office with PA HA (2 PA with HA Configured

The other thing to be aware of with inbound services failover like Global connect is how your inbound prefix routing failover will occur when you lose an upstream ISP.  Depending on how the route advertisements are working this can take some time for your upstream to remove that path and all your existing sessions to find the new inbound path on the second ISP.  Especially if this is an active/passive failover.

 

Naturally, if you do not have the Glbobal protect prefix available to advertise in both ISP then it cannot failover at all and new connections must be made using the second ISP address space.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!