DotW: HA Lite

DotW: HA Lite

0
Created On 09/25/18 19:49 PM - Last Modified 07/19/22 23:07 PM


Resolution


In this week's Discussion of the Week, we're taking a closer look at community member Doug_Hogue's question regarding High Availability on a PA-200.

 

2016-05-23_14-58-46.jpg

An important thing to note when deploying a pair of PA-200 in High Availability is that these devices have a scaled down version of High Availability called HA Lite. This version of active/passive HA comes with a few limitations:

 

  • Sessions are not synchronized between the two devices. This means that if an outage were to occur on the primary device, all the existing sessions will lose their state and will end up timing out. New sessions will need to be created.
  • IPSec tunnels will be broken, so remote connectivity will temporarily be disrupted. These tunnels can be renegotiated, so as soon as the secondary device is up, it will be able to reestablish the tunnel between remote sites or users on GlobalProtect.
  • Active/Active is not supported.

 

HA Lite comes loaded with all the other advantages High Availability offers on the larger platforms, however:

 

  • Configuration is synchronized between the peers.
  • DHCP server lease information is shared, so in case of a failover, no unexpected IP conflicts should arise.
  • PPPoE lease information is synchronized.
  • The firewall's forwarding table (routing) is synchronized if the firewalls are configured in Layer 3 mode.

Besides the limitation of the High Availability functionality, which also saves one interface from needing to be configured as HA2, the PA-200 comes loaded with all the functionality the larger platforms have to offer. So to answer the original question, if the PA-200 will be able to support dual ISP configuration, will be a resounding yes.

 

The quick way to enable dual-ISP on any platform, including the PA-200, is to configure a Policy Based Forwarding policy to forward, for example, all user web-browsing traffic via the primary high-bandwidth link, then set up a static route in the VirtualRouter to direct all other traffic over the backup/low-bandwidth high SLA link. This configuration will be synced over to the HA peer, and if a failover were to occur, the same policy and routing will apply, ensuring that high-bandwidth web-browsing is still routed to the high-bandwidth link.

 

For more information, check out this article: Getting Started: Policy Based Forwarding

 

Check out the original article here : Dual ISP Branch Office with PA HA (2 PA with HA Configured)

 

 

The more you know...

Reaper

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleZCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail