Am I able to configure up to 4 devices to act as active/active in high availability?
This should be able to, if one of those 4 get down, the others 3 keep handling traffic. And if another one of those get down, the other 2 keep running and so on.
Is it possible? If it is not, is there any roadmap for so?
You could configure four stand-alone devices, each on a separate leg of a aggregated ethernet link to achieve a similar result. It is very similar to the published solution working with Arista switches show here:https://paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technology-solutions-...
All clusters in PA are just two identical units. You could have two pairs with the four units but the sessions and sync are only between the tow matched devices at a time.
This is unlikely to change in the next few years.
For a very large volume operation you might use load balancers in front of the four or more PA to get higher capacity and failover across multiple clusters.
Palo Alto Networks devices do not aggregate throughput across HA cluster members. Active/Active throughput is same as Active/Passive. For situations in which more throughput than a PA-5060 can provide is required you would utilize the PA-7000 series chassis system. With two chassis you can have anywhere between two and ten data plane cards, each capable of processing around the same traffic as a PA-5060. This scenario would not require third party load balancers and provides increased flexibility over that model. Session sync across all dataplanes in both chassis regardless of Layer 3 or Virtual Wire deployments.
I disagree - in Active/Active traffic load can be shared between the two devices; although I understand that Palo Alto recommends that they're not sized such that both devices are required to be forwarding traffic to handle the load as in the event of a failure traffic processing would surely be impacted.
Of course, they'd also love to sell you a PA7000.
I'd rather not throw away good firewalls though; and being able to extend an existing PA5000 pair to a cluster of greater than two devices would be great.
The method PAN have chosen for the configuration of Active/Active seems to be designed to support such a model - with the physical device configuration elements (mainly IP addresses) being configured locally on each device. For the current two device model; it would be so much easier if in Active/Active Panorama templates there was space to enter primary IP and a secondary IPs directly which would be applied to the corresponding firewalls - but they've not done it like this and I suspect that is to allow for future clustering support.
My guess; they can do this in their labs; but they won't release it as the sales teams want to sell PA7000s instead....
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!