03-25-2019 10:09 AM - edited 03-25-2019 10:10 AM
We have two firerwalls at different locations conencted to different vendors via different ISP.
I it possible to have uplink to vendor with same ISP but different IP address in active and passive setup?
03-25-2019 02:24 PM
Hello,
Yes this is possible, however remember that the passive device is (not active) so both ISP's will need to plug into both PAN's. Routing can be acheived via PBF or static routing.
Regards,
03-25-2019 02:34 PM
As PA share the ip addresses in HA but with with different uplink on passive PA how will failover work?
04-06-2019 02:46 PM
anyone can tell me if this is possible to accomplish?
04-06-2019 02:52 PM
Are the firewalls managed by panorama?
04-06-2019 03:16 PM
yes they are
04-06-2019 03:24 PM
I haven't try this so far, but technically it should be possible ... also with some limitations probably.
With panorama you are able to configure the devices of this a/p cluster independently (use template variables to be able to still configure as much as possible only once). Even if you configure different networks/interfaces for the two devices you can configure the same policy in one device group. Depending on the actual network configuration you can even use one NAT rule for the internet access. Here is also a limitation I can imagine: I don't know if the session sync properly works in an a/p cluster when there are different hide NAT addresses.
04-08-2019 06:52 AM
The best way to do this is to place your ISP connections outside of your FW environment into a L2 Switch above. Then connect your FWs into that switch. You can utilize VLANs to make connectivity more seamless.
04-08-2019 10:13 AM
@Brandon_Wertz wrote:The best way to do this is to place your ISP connections outside of your FW environment into a L2 Switch above. Then connect your FWs into that switch. You can utilize VLANs to make connectivity more seamless.
The description of @MP18 sounds like there is no possibility of spanning the L2 VLANs across the locations. But if there is the possibility for that then @MP18 you should definately consider the input of @Brandon_Wertz
04-08-2019 12:15 PM
Another option -
You could simply run them independently and have them both advertise the default route into whatever dynamic routing protocol you are using. Site-A would prefer FW-A (closest to it) and Site-B would prefer FW-B (closest to it). This would cause sessions to have to be reinitialized in the event that one of the FW goes down for whatever reason. If you are providing any inbound services, you would need something like an F5 and GSLB to use DNS to move traffic away from a downed FW.
It sounds like L2 connectivity between sites is a no go? If not, you could also consider Active/Active which would handle asynchronous routing and allow for both ISPs to be utilized like above, but with state mantained.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
