Acitve Passive with different Uplink IP address.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Acitve Passive with different Uplink IP address.

Cyber Elite
Cyber Elite

 

We have two firerwalls at different locations conencted to different vendors via different ISP.

 

I it possible to have uplink to vendor with same ISP but different IP address in active and passive setup?

MP

Help the community: Like helpful comments and mark solutions.
9 REPLIES 9

Cyber Elite
Cyber Elite

Hello,

Yes this is possible, however remember that the passive device is (not active) so both ISP's will need to plug into both PAN's. Routing can be acheived via PBF or static routing.

 

Regards,

As PA share the ip addresses in HA but with  with different uplink  on passive PA  how will failover  work?

 

 

MP

Help the community: Like helpful comments and mark solutions.

anyone can tell me if this is possible to accomplish?

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

Are the firewalls managed by panorama?

yes they are

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

I haven't try this so far, but technically it should be possible ... also with some limitations probably.

With panorama you are able to configure the devices of this a/p cluster independently (use template variables to be able to still configure as much as possible only once). Even if you configure different networks/interfaces for the two devices you can configure the same policy in one device group. Depending on the actual network configuration you can even use one NAT rule for the internet access. Here is also a limitation I can imagine: I don't know if the session sync properly works in an a/p cluster when there are different hide NAT addresses.

L6 Presenter

The best way to do this is to place your ISP connections outside of your FW environment into a L2 Switch above.  Then connect your FWs into that switch.  You can utilize VLANs to make connectivity more seamless.


@Brandon_Wertz wrote:

The best way to do this is to place your ISP connections outside of your FW environment into a L2 Switch above.  Then connect your FWs into that switch.  You can utilize VLANs to make connectivity more seamless.


The description of @MP18 sounds like there is no possibility of spanning the L2 VLANs across the locations. But if there is the possibility for that then @MP18 you should definately consider the input of @Brandon_Wertz 

Another option - 

 

You could simply run them independently and have them both advertise the default route into whatever dynamic routing protocol you are using.  Site-A would prefer FW-A (closest to it) and Site-B would prefer FW-B (closest to it).  This would cause sessions to have to be reinitialized in the event that one of the FW goes down for whatever reason. If you are providing any inbound services, you would need something like an F5 and GSLB to use DNS to move traffic away from a downed FW.

 

It sounds like L2 connectivity between sites is a no go?  If not, you could also consider Active/Active which would handle asynchronous routing and allow for both ISPs to be utilized like above, but with state mantained.

 

  • 3299 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!