Active Active High Availability

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active Active High Availability

L0 Member

Hello Group,

 

I have done migration from Cisco ASA Firewalls to Palo Alto Firewalls.

 

In Cisco ASA Firewalls, I was using multi-context (there were two contexts, Context-A and Context-B). Context A was active on Firewall-1 and Context-B was active on Firewall-2. Once Firewall-1 goes down, Firewall-2 will be active for both Context-A and Context-B.

 

I have studied High Availability documentation for Palo Alto Firewalls, from what i have studied i dont think it is possible to load balance the traffic in this way. I have created two vsys, (vsys-A and vsys-B). I want vsys-A to be active on Firewall-1 and vsys-B to be active on Firewall-2. Vsys-A should get active on Firewall-2 only in case Firewall-1 goes down and once Firewall-1 gets back live again then Vsys-A should be switched to Firewall-1. Similarly for Vsys-B.

 

There are four different use cases for Active Active High Availability but i think none of these matches my requirement.

1. Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
2. Active/Active HA with Floating IP Addresses
3. Active/Active HA with Route-Based Redundancy
4. Active/Active HA with ARP Load-Sharing

 

Please if anyone can give feedback on this.

3 REPLIES 3

Cyber Elite
Cyber Elite

High Availability in Palo Alto is all about redundancy and not about load sharing/balancing

All config will always be active on both members

(for loadbalancing you should use external loadbalancers and HA4)

 

what comes closest to your config is floating IP with lower priorities on primary or secondary to make IP's "stick" to one peer until that peer goes down. this way you can control which member owns the IP, so in essence where the vsys and other config is utilised

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L0 Member

Thank you for your reply! Actually this is what I tried to do on my two firewalls to support above scenario. But its not working in that way.

 

There are 10 subnets, i want 5 subnets of Vsys-A to go to Firewall-1 and want 5 subnets of vsys-B to go to Firewall-2.
If Firewall-1 fails then all 10 subnets of vsys-A and B to go to Firewall-2.
If firewall-2 fails then all 10 subnets of vsys-A and B to go to Firewall-1.
Vsys-A
10.11.1.0/24
10.11.2.0/24
10.11.3.0/24
10.11.4.0/24
10.11.5.0/24

Vsys-B
10.11.6.0/24
10.11.7.0/24
10.11.8.0/24
10.11.9.0/24
10.11.10.0/24

To support my above configuration, I went to Device -> High Availability -> Active/Active Config -> Virtual Addresses.
I defined 10 Floating Addresses here (default gateways for the 10 subnets). 10.11.x.254

1. 10.11.1.254, 10.11.2.254, 10.11.3.254, 10.11.4.254, 10.11.5.254
Type Floating
Device 0: 100
Device 1: 150

2. 10.11.6.254, 10.11.7.254, 10.11.8.254, 10.11.9.254, 10.11.10.254
Type Floating
Device 0: 150
Device 1: 100

Cyber Elite
Cyber Elite

In ha3 config you also need to set session owner etc. to "first packet" for this to work smoothly

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3339 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!