Currently, we have two PA 2050s each hooked into a Brocade FCX switch, which are stacked together. We cando a heartbeat connection over our datacenter's switch, so if one of our drops fails, it will failover. However, reading through the configuration guide it seems like the 2050 does not support link aggregation, and I had planned on using it so that each firewall can talk to both switches in case one fails. Since each firewall is plugged into a single Brocade switch, if one of the switches fail, with our current setup (active-passive) the Palo Alto box for the working switch will not become active, as the heartbeat will be going over our datacenter's switch. If we switched the heartbeat to go over our Brocade switches and then our datacenter's drop fails, the passive still won't become active as it will still be sending a heartbeat to the active box. If we had link aggregation, it would be as simple as hooking each firewall into both switches, but without it I'm not sure how we can do that. An active-active seems like it could be a solution here, but is it possible to do this with an active-passive configuration?
If I do need to use active-active, any ideas on what configuration I should use? Active-passive setup was a cinch, but it has been a real pain trying to get active-active to work, I have yet to succeed so far. Thanks for the help.0
Active-passive with PA is more of an online version of "coldstandby" (lets call it "hotstandby" or something :-). Meaning that the passive unit is an exact copy of the active unit except for the mgmt ip and hostname. If the active dies (or is considered to be dead or not fully functional) then the passive unit will become active.
Active-active with PA wont bring you more performance but can solve situations where you have assymetric routing.
It seems that if you can avoid active-active then you should avoid it.
In your case you could go for active-active however im not sure on how it will deal with LACP. If using LACP (or etherchannel) through an active-active group you must be sure that the loadbalancing wont spread the same session over multiple lines. I think the design guide recommends that each LACP group goes over a single PA-unit. Like int1 and int2 is LACP1 and goes to PA1 where int3 and int4 forms LACP2 and goes to PA2 (check the links in the end of this post).
Another solution is to setup your two (or more) PA-boxes as single-units (they dont know of each other). This would force you to configure everything twice (or three or four times depending on how many boxes you would have in this setup) but can this can be avoided by using Panorama instead (this way you can configure global rules for everything and push out to all boxes). The point of configure the units as single-units is to gain performance and then let the routers/loadbalancer before/after your PA-setup to spread the load of available lines (PA-boxes) and dont forget to keep each session over a single line (until it fails and then move these sessions to another line).
Also check out these documents for ideas on how to setup PA-boxes in various situations:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!