PA firewalls and HA across different GEO locations

Reply
L2 Linker

PA firewalls and HA across different GEO locations

Hi Support,

 

We have Client in Cork want to know about the FW HA across Different Location.

 

  • What are requirements for having fw cluster spread across different GEO locations (latency, delay, etc)?
  • Is this recommended at all by PA? If yes, what kind of link is required for HA connectivity (L3, L2)?

 

We have some ideas of spreading current firewall cluster between new Data Cente in Dublin and DR site different location.

Is it not good idea because of possible split brain scenarios due to periodical link latency.

Basically to take passive current FW appliance and rack it to different location  so that active/passive cluster is spread .

L7 Applicator

Re: PA firewalls and HA across different GEO locations

@NavidAlam,

You can overcome any latency situation by adjusting the HA settings themselves, but I kind of have to ask why you would want to setup like this. Usually if you build out a different data center in a completely different location you utilize load-balancing or DNS changes to kick the traffic over when you need it. I've never seen anyone have such geographically diversified firewalls running in an active/passive pair; not because you can't do so, but why would you want to? 

L2 Linker

Re: PA firewalls and HA across different GEO locations

It is not why i want . Client is asking if it is possible are not what it is the recommendation if we do ?

 

Second, if so what is the recommendation they asking is it safe or not due to a different location?

 

Does Palo Alto recommend or not if do not what is the normal recommendation 

L7 Applicator

Re: PA firewalls and HA across different GEO locations

@NavidAlam,

Yes it's possible, the recommendation would be to set the HA timers with the time consideration that it will take to travel whatever distance you are putting them across. This will depend on the link and how long it actually is. You'll need to set the HA Timers to 'Advanced' and actually manually set these in accordance with the latency on this link. 

This type of setup would not be recommended. You're essentially asking to seperate an HA Active/Passive pair over 260km and expecting it to perform well.  

L4 Transporter

Re: PA firewalls and HA across different GEO locations

My DR site is 5 miles away over a 1Gb fibre link, would not consider HA on that. We can manage most of the inbound trafic changes easily, and outbound does not matter.

 

Rob

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!