We are about to work on a Paloalto cluster deployment, which will be sitting next to the internet (we will have two separate providers) and we need to make the decision whether we configure it as A/A or A/P.
I keep reading in quite some places (forums and so) that A/P is Paloalto preferred way. That is also my first option, but I would like to have some official documentation to support that decision. Does anyone know where I can find such documentation from Paloalto, where they discuss A/P against A/A?
(I have been able to find the technical documentation of each of the cases, as well as their requirements, but not a specific discussion detailing kind of pros and cons of each of them).
Thanks a lot in advance
Not sure you will find any documented reasons but basically..
You don't gain much from A/A other than more throughput during normal running, but your not running N+1 so if one FW dies your under capacity. The added complexity also makes it far more difficult to implement successfully.
Hence a properly sized A/P N+1 is the recommended.
Are you utilizing any dynamic routing protocols with you service providers (and internally)? You might want to consider A/A. What you will learn is this can be very beneficial but will require a lot of setup on you part with a good working knowledge of BGP/OSPF/etc.
No dynamic routing protocols on either side? Stick with A/P.
We are about to work on a Paloalto cluster deployment, which will be sitting next to the internet (we will have two separate providers) and we need to make the decision whether we configure it as A/A or A/P
Thanks a lot in advance
In our deployment we have 3 independent ISPs across 2 DCs and we run A/P. As others have stated an A/A deployment is primarily about throughput. If you become reliant upon that second firewall's throughput then when you upgrade or a failure occurs you're environment is now degraded in an A/P deployment you're at N+1 which makes for a much more stable environment.
Thanks all for the replies.
@jeremy.larsen, indeed we will be running BGP to the internet and (most likely) OSPF internally. But the point is that I do not really see those benefits anyway, in setting the cluster up as A/A. Or say it other way, I do not see any potential benefit that would pay off the rather important increase in complexity (not that it is an issue itself, but it also would complicate any troubleshooting when the time comes, for the NOC and so).
Again, thanks all for providing your inputs. That's kind of what I am looking for, to gather a list of pros and cons of each of the two options, to make the final decision.
I've done both. A/A is definitely cool but requires a lot of planning and a deep understanding of what you are doing. If you want BGP to handle the failover for inbound services (ie: website, etc) then A/A is the way to go. Or you can drop HA and use Load Balancers to handle your firewalls and all the routing decisions. If you have something like an F5 handing failover using DNS and no IPs are getting moved between locations, then use good 'ole A/P and call it a day.
- Just my 2 cents
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!