Palo Alto 5250 - Configuring HA between vsys

L2 Linker

Palo Alto 5250 - Configuring HA between vsys

Hi, 

 

Is it possible to configure two physical Palo Alto 5250 in Active - standby mode while distributing the load for Vsys across both the physical firewalls. 

 

For eg.

I have two physical firewalls - PA1 & PA2

I have 6 vsys in each firewalls - Vsys1, Vsys2, Vsys3, Vsys4, Vsys5, Vsys6

 

Is it possible to have the below mentioned setup?

 

PA1

Vsys1 - Active

Vsys2 - Standby

Vsys3 - Active

Vsys4 - Standby

Vsys5 - Active

Vsys6 - Standby

 

PA2

Vsys1 - Standby

Vsys2 - Active

Vsys3 - Standby

Vsys4 - Active

Vsys5 - Standby

Vsys6 - Active

 

Is there any reference document to achieve this configuration? 

Tags (1)
L3 Networker

Re: Palo Alto 5250 - Configuring HA between vsys

Hi @MGRashmi,

unfortunately with Active/Passive mode, all virtual systems will be active only on "active" member. The HA is configured on Physical level and not on the virtual level.

If you want to distribute virtual systems on both physical appliances you need to configure the cluster in Active/Active mode and bound floating IP for vsys 1, 3, 5 to Active Primary and for vsys 2, 4, 6 to Active Secondary.

At this link you can found a use case: 

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/set-up-activeactiv...

 

Keep in mind usually TAC suggest A/A mode only in case you have asymmetric routing mainly when the firewalls are in Virtual-Wire mode.

 

Enjoy,

Jacopo

L2 Linker

Re: Palo Alto 5250 - Configuring HA between vsys

Hi Jacopo, Thanks a lot for your detailed and clear explanation. This really helped.

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!