wan interface configuration for HA active/passive

Reply
L2 Linker

wan interface configuration for HA active/passive

We are about to replace a single 2050 with an HA pair of 3050's.   Having some trouble figuring out how to get the switch and Pa configured so I can share the single ISP connection with both firewalls.

 

Current setup has interface 1/3 as L3 with the WAN ip address

 

I was trying to minimize the changes to make (because 2050 is insanely slow to commit) so attempted using a new vlan 111 on our core switch, set it up on two ports in access mode (untag all) and tried moving the ISP router and the palo alto wan interface into the switch on those two ports.

 

Am I going to need to change the wan interface on the palo alto to have a tagged sub interface on vlan 111 and move the wan IP addresses to it?   Hopefully I'm just missing something simple.

 

thanks,

 

 

L7 Applicator

Re: wan interface configuration for HA active/passive

You should create subinterfaces on palo only if it connects to switch trunk port.

If switch port is access then you don't use subinterfaces.

If you set up HA then interface mac addresses will change and Palo will send graditious arp out only to notify interface ip change but not for DNAT ip addresses so you should be ready to clear switch arp cache.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L5 Sessionator

Re: wan interface configuration for HA active/passive

You have to move ISP link to switch. On switch there should be three ports and these three ports should be part of same VLAN, access ports. One port for ISP, One for active firewall and one for passive firewall that's it.

Highlighted
L2 Linker

Re: wan interface configuration for HA active/passive

Pankaj,

 

That's what I thought, but I tried moving the existing firewall to that setup, moved isp, and PA to switch on same vlan with access ports, and they wouldn't talk.  Only had a brief downtime window last weekend to test so wasn't able to do much troubleshooting.  This next weekend is the planned implementation for new pair so I'll try again, and have time to clear arp and track down any issues.

 

 

Thanks for the help everyone.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!