06-24-2024 03:40 PM - edited 06-24-2024 04:45 PM
I have a request from my customer to implement the following HA setup where the PA 3410s are Active Passive to their partner that has 2 MPLS connections from different telcos where one side is generally the active side we'll call it Sprint and the failover side is Ma Bell. There is an image of diagram floating out there that shows bowtie looking connectivity. Photo attached. Looking at Palo Alto's KB I can't find anything like this. The image is out there on reddit at this link - https://www.reddit.com/r/paloaltonetworks/comments/yy8ium/how_two_pa3020_ha_activepassive_mode_link_... - and I get the consensus from this that it may be possible but no real supporting documentation one way or another. Is this doable? Where would I find an example in Palo's KB articles because I've searched based on this term - 'PA firewall active/passive failover using bowtie lan architecture' a well as ' PA firewall high availability active/passive to separate MPLS L3 connections back to back with routers'. Maybe my search string is too broad. I don't know. Anyone out here ever done this. I don't get the vibe this is doable.
06-25-2024 01:42 AM
this is perfectly doable, your approach will depend on a few things
from connectivity perspective, do both links in the bowtie need to use the same subnet, or are they different links?
in case each router has a different subnet, simply configure your interfaces with the appropriate IP/subnet and pick one of the following:
if both interfaces need to be in the same subnet, it gets a little more difficult:
hope this helps
06-25-2024 08:44 AM
Tom,
Thanks for the insight. I'm going to review what you recommended and look into the points relating to your recommendations. I'll respond more later here after I bounce it around to the router guys on my team because I will be relying on their input as well. Thank you again for your response.
06-26-2024 12:04 AM - edited 06-26-2024 12:22 AM
Tom,
The current set up is Cisco ISR (Partner) to ASA (my customer). ASAs are an active/standby config.Currently we have a /29 for the Sprint and the AT&T side. We are moving from the ASAs to PA 3410s.
The partner router is 10.10.10.1/29 and the ASA is 10.10.10.2/29 (with a standby IP of 10.10.10.3/29 on the Sprint circuit).
The AT&T circuit side is 10.10.10.9/29 on the partner router and 10.10.10.10/29 on the ASA with a standby of 10.10.10.11/29 for the standby IP.
Current partner network is 192.168.1.0/23 & 192.168.3.0/23 and both partner networks are reachable through either circuit depending on the active data center on the partner side. Sprint circuit is preferred. Partner has their ISR routers in my customer's data center going back to their data centers via MPLS. We static route both of the partner networks as follows:
192.168.1.0/23 & 192.168.3.0/23 via 10.10.10.1 metric of 1 to Sprint path.
192.168.1.0/23 & 192.168.3.0/23 via 10.10.10.9 metric of 5 to AT&T path.
I want to use a dynamic routing protocol preferably BGP to cover routing in the new setup. The firewalls being in active/standby Firewall 1 being the nominal active would share the IP of 10.10.10.3 with the standby firewall if it fails over for instance. I have attached my draft diagram if you want to review it. This is very rough and if we run BGP we would have to filter on the Palo Altos to keep any potential overlap out of the system.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
