10-07-2014 12:20 PM
Hi,
We have a customer looking to extend their DR capability to a 2nd physical site (Site B).
Currently they have 2 PAN 3050 firewalls in an A/P cluster at Site A. As the new site will be connected via fibre we will split the cluster across both sites.
Site B will very much be a cold standby site with no production load under normal conditions.
We would like to still maintain PAN device redundancy at Site A.
Appreciate any answers, feedback and personal experience in this type of scenario.
Cheers,
Shannon
10-07-2014 12:22 PM
Hi Shannon,
This is currently not supported but we do have a feature request for it. You can mention FR 1043 to your sales/system engineer. He/She can vote on your behalf. Hope this helps. Thank you.
10-07-2014 12:22 PM
Hi Shannon,
This is currently not supported but we do have a feature request for it. You can mention FR 1043 to your sales/system engineer. He/She can vote on your behalf. Hope this helps. Thank you.
10-07-2014 12:24 PM
I don't think you cannot have three units as a part of cluster.
I will suggest running OSPF with the route SiteB as a lower metric, so in case SiteA goes down it fails over to SIteB
Hope it helps !
10-07-2014 12:26 PM
Hi Shannon,
As Samir suggest as of now its not possible to add third unit in HA.
Would it be possible to provide us rough network dia. That way we might be able to suggest any other work around.
Regards,
Hardik Shah
10-07-2014 12:41 PM
Hi,
Thanks for your answers. A very high level, sanitized diagram below. Ideally we would have 2 units at the production datacentre.
Is it possible to have an independent unit at the standby unit, and somehow script regular config restores to the standby datacentre; this would also require having all dataplane interfaces shutdown, and could get messy, I realise, just want to explore all options.
Thanks,
Shannon
10-07-2014 01:11 PM
Hi Shannon,
How would you use one more firewall in "standby Data center".
1. What routing functinoality it will do?
2. When it should be active?
3. What traffic it will pass.
Regards,
Hardik Shah
10-07-2014 02:08 PM
1. What routing functionality it will do? - The intent would be for it to be another passive member of the cluster
2. When it should be active? - if both units at the production unit were to fail, or the production facility were to be completely compromised
3. What traffic it will pass. - only HA sync traffic. in conjunction with the ISP and BGP routing (not on the PAN), network border IP addressing would be assumed in the event of #2 being realized.
10-07-2014 03:09 PM
Hi Shanon,
1. Another passive Member - Is not possible.
2. If both units goes down then it turns active - It is not possible.
3. Basically it should do routing if both the boxes fail - This is possible.
You will have to configure something like IP monitor on Internet CPE router. If both the units are down than send traffic to third unit.
This third unit is independent of HA cluster.
Let me know if you have additional query on this.
Regards,
Hardik Shah
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
