I am currently working on a network redesign project with all Cisco gear. Our network engineer is opting for a complete HSRP Active/Active environment. According to all deployment documentation, HA Active/Passive seems to be the preferred methed for the Palo Alto's. I see that the PA's do support A/A HA using VRRP, so I do not see a configuration issue. Can someone provide the pro's and con's of deploying the PA's in an A/P vs. A/A environment? Are there any performance implications? Are there any issues when using the PA's in an A/A configuration for VPN termination, etc...?
PAN does strongly prefer active/passive. But asymmetrical routing is not the only case where active/active is required.
Active/active is required is if your infratructure requires communication be permitted between devices connected to the secondary firewall at all times. With PAN Active/Passive the secondary (passive) node has interfaces connected, link is up but no traffic will pass until the device becomes active.
This is great for preventing layer 2 loops when the active and passive device are simply an alternate path for the same traffic.
But if you network design is fully active/active and therefore there is traffic such as bgp, vrrp, or other protocols that need to communicate on secondary links at all times, you must have the PAN cluster setup as active/active.
And if the network design is fully active/active where the traffic load is distributed across both paths, then active/active is also required.
Here's a link to the high-availability section of the PAN-OS documentation:
From there you can read Palo Alto Networks' recommendations, along with links to design guides and tech notes relating to both methods of high availability.
I am thinking of running active/active on a pair of 5250's in the network core due to the fact that southbound is a pair of core switches that are running alternating HSRP groups or even GLBP. If both firewalls are active then I can leverage ECMP from Core Switches to Core Firewalls. Anyone running Palo Altos in the core active/active?
I have ran them active/active at the core. I scratched all Layer2 trickery (HSRP,VRRP,etc) and just incorporated them into my OSPF area. You have to think of them as 2 routers that just happen to shared a session table. You can then inject default 0.0.0.0/0 routes from both. It doesn't matter which default route is preferred in your route tables (and yes, ECMP works awesome). If PANa is the session owner but PANb receives the packet, it will forward the packet over to the session owner (HA3/HSCI). There is only one catch in this scenario. If one of the PANs fail, the failover is instantaneous. Problems can arrive when the failed member rejoins. If the OSPF/BGP,etc protocol come up before the firewalls are completely synced, you will get some drops. To fix this, you can manually or script the ports connected to the PANs to turn on only after a full sync has occurred. (This last part in thanks to my Panorama instructor)
I've done both. My preference is to run OSPF (or choose your dynamic routing protocol) to switches that support sub-interfaces (ie - most Junipers) thus severing any Layer 2 / bridge loop goofiness and shrinking your broadcast/failure domains. These sub-interfaces are then segmented by VRF/vRouter/(choose your terminology) which are then assigned to security zones on the PAN. Then, interVRF matches interZone and intraVRF matches intraZone. Anything traversing between VRFs must hit the PAN and be processed (ie - VRF Segmentation)
You can either span the vlan all the way through to the PAN subinterfaces or route between the PAN & the 9Ks. I prefer routing between the two and like I mentioned before, breaking up my security zones using VRF and redistributing your default gateway(s) with a dynamic routing protocol. You can do VRF on the 9Ks all day long.
That depends on your design and preferences. You can create a 0.0.0.0/0 static route on the PAN and redistribute from there. If you are running internet facing routers, you can redistribute from there back into the PAN. Or, you can have your ISP redistribute the default into your internet facing routers and back down through. It's really up to you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!