PA firewalls and HA across different GEO locations

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA firewalls and HA across different GEO locations

L3 Networker

Hi Support,

 

We have Client in Cork want to know about the FW HA across Different Location.

 

  • What are requirements for having fw cluster spread across different GEO locations (latency, delay, etc)?
  • Is this recommended at all by PA? If yes, what kind of link is required for HA connectivity (L3, L2)?

 

We have some ideas of spreading current firewall cluster between new Data Cente in Dublin and DR site different location.

Is it not good idea because of possible split brain scenarios due to periodical link latency.

Basically to take passive current FW appliance and rack it to different location  so that active/passive cluster is spread .

5 REPLIES 5

Cyber Elite
Cyber Elite

@NavidAlam,

You can overcome any latency situation by adjusting the HA settings themselves, but I kind of have to ask why you would want to setup like this. Usually if you build out a different data center in a completely different location you utilize load-balancing or DNS changes to kick the traffic over when you need it. I've never seen anyone have such geographically diversified firewalls running in an active/passive pair; not because you can't do so, but why would you want to? 

It is not why i want . Client is asking if it is possible are not what it is the recommendation if we do ?

 

Second, if so what is the recommendation they asking is it safe or not due to a different location?

 

Does Palo Alto recommend or not if do not what is the normal recommendation 

@NavidAlam,

Yes it's possible, the recommendation would be to set the HA timers with the time consideration that it will take to travel whatever distance you are putting them across. This will depend on the link and how long it actually is. You'll need to set the HA Timers to 'Advanced' and actually manually set these in accordance with the latency on this link. 

This type of setup would not be recommended. You're essentially asking to seperate an HA Active/Passive pair over 260km and expecting it to perform well.  

My DR site is 5 miles away over a 1Gb fibre link, would not consider HA on that. We can manage most of the inbound trafic changes easily, and outbound does not matter.

 

Rob

 

 

L1 Bithead

Hi, this is interesting question. If I setup timers on HA communication to huge delay the cluster PA will be works? Is exist any official document on site palo alto?

  • 7278 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!