Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-22-2021 08:57 AM
Hello Group,
I have done migration from Cisco ASA Firewalls to Palo Alto Firewalls.
In Cisco ASA Firewalls, I was using multi-context (there were two contexts, Context-A and Context-B). Context A was active on Firewall-1 and Context-B was active on Firewall-2. Once Firewall-1 goes down, Firewall-2 will be active for both Context-A and Context-B.
I have studied High Availability documentation for Palo Alto Firewalls, from what i have studied i dont think it is possible to load balance the traffic in this way. I have created two vsys, (vsys-A and vsys-B). I want vsys-A to be active on Firewall-1 and vsys-B to be active on Firewall-2. Vsys-A should get active on Firewall-2 only in case Firewall-1 goes down and once Firewall-1 gets back live again then Vsys-A should be switched to Firewall-1. Similarly for Vsys-B.
There are four different use cases for Active Active High Availability but i think none of these matches my requirement.
1. Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
2. Active/Active HA with Floating IP Addresses
3. Active/Active HA with Route-Based Redundancy
4. Active/Active HA with ARP Load-Sharing
Please if anyone can give feedback on this.
06-23-2021 02:21 PM
High Availability in Palo Alto is all about redundancy and not about load sharing/balancing
All config will always be active on both members
(for loadbalancing you should use external loadbalancers and HA4)
what comes closest to your config is floating IP with lower priorities on primary or secondary to make IP's "stick" to one peer until that peer goes down. this way you can control which member owns the IP, so in essence where the vsys and other config is utilised
06-24-2021 05:35 AM
Thank you for your reply! Actually this is what I tried to do on my two firewalls to support above scenario. But its not working in that way.
There are 10 subnets, i want 5 subnets of Vsys-A to go to Firewall-1 and want 5 subnets of vsys-B to go to Firewall-2.
If Firewall-1 fails then all 10 subnets of vsys-A and B to go to Firewall-2.
If firewall-2 fails then all 10 subnets of vsys-A and B to go to Firewall-1.
Vsys-A
10.11.1.0/24
10.11.2.0/24
10.11.3.0/24
10.11.4.0/24
10.11.5.0/24
Vsys-B
10.11.6.0/24
10.11.7.0/24
10.11.8.0/24
10.11.9.0/24
10.11.10.0/24
To support my above configuration, I went to Device -> High Availability -> Active/Active Config -> Virtual Addresses.
I defined 10 Floating Addresses here (default gateways for the 10 subnets). 10.11.x.254
1. 10.11.1.254, 10.11.2.254, 10.11.3.254, 10.11.4.254, 10.11.5.254
Type Floating
Device 0: 100
Device 1: 150
2. 10.11.6.254, 10.11.7.254, 10.11.8.254, 10.11.9.254, 10.11.10.254
Type Floating
Device 0: 150
Device 1: 100
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
