- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-09-2014 12:04 PM
Hi All,
my req:
isp 1 4mbps(untrust) ->pa 500a->(trust)cisco switch l3a->
isp 2 4mbps(untrust)->pa 500b->(trust)cisco switch l3b-> same web servers but using isp 1 &2 public ip's(redundancy purpose) to do static s-nat for web servers
external users should use both isp to reach web servers in active/active ha mode->load share/balance..
my config doubts:
trust l3 ips connected to cisco switch should be different..right?
dns servers for both isp's are different..so i changed default 4.2.2.2/8.8.8.8 to isp dns servers..right?
web servers should be exposed to external users-so configured s-nat static and tick bi-directional..right?
Please suggest best and simple practise to this requirement and confirm me whether above steps are right?
how to do ha active/active..please tell me procedure..
07-10-2014 07:23 AM
Hello Javith,
external users should use both isp to reach web servers in active/active ha mode->load share/balance..
For above sentence we donot support load balance.
trust l3 ips connected to cisco switch should be different..right?---> Yes
dns servers for both isp's are different..so i changed default 4.2.2.2/8.8.8.8 to isp dns servers..right?----> optional
web servers should be exposed to external users-so configured s-nat static and tick bi-directional..right?----> Yes
For better practice on configuring HA Active/Active please follow below document.
Configuring Active/Active HA PAN-OS 4.0
The above document is similar in PANOS-4.1 and 5.0 as well.
Regards,
Hari
07-10-2014 08:06 AM
In your design, I don't think you need Active/Active but would be better served using a simpler and more standard Active/Passive design. Active/Active use cases are typically one of two:
Asymmetrical routing occurs so both paths need to have active firewalls
There are two alternate paths that need to have active routing protocols peers through the firewall so the interfaces cannot be passive down
Neither apply in your design needs.
Another consideration is your fail over scenarios are more limited if you directly connect the two ISP feeds to the two firewalls. This means each ISP depends on that particular firewall being active and the reverse as well. In other words, a single failure on either ISP or firewall forces a second failure with the directly attached partner. ISP A fails then firewall A also cannot route out to the internet.
Better practice would be to create two ISP layer 2 vlans on a switch with three ports each.
Port 1- ISP router
port 2 - firewall A
port 3 - firewall B
Now both firewalls have access to both ISP feeds. Any ISP or firewall can fail and that single failure will only affect that item not any other.
You can configure dual ISP on the primary firewall. Then create an Active/Passive pair to cover the failure scenario.
You may find these dual ISP documents helpful.
How to Create Inbound NAT to a Single Server with 2 ISPs
Dual ISP Branch Office Configuration
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!