07-28-2022 07:14 AM
I would like to add a 24-port switch to each Palo. To maintain HA redundancy, I just have to run the HA Control across the switches right? Does the Session Link have to go through the switches too?
07-28-2022 06:12 PM
I'm kind of confused on what you're asking. Adding a switch(es) behind your firewalls isn't a problem at all. You just need to make sure that you've configured everything so that the traffic can reach your firewall properly and ensure that your firewalls routing is setup properly as well. You don't need to do anything with the HA links if you're just adding a switch(es) behind the hardware.
If you want to run your HA links through a switch that's also perfectly fine if you want to locate the devices in physical diverse areas that prevent direct connection. Depending on latency you might have to play around with HA timers, but that's really the only gotcha.
You'd likely want to enable encryption on your control (HA1) links if these are directly connected for additional security if you choose to route these connections through the network. Also keep in mind that depending on the network, you'll want to set the data link (HA2) transport to Ethernet (layer2) or IP (layer3) depending on how your routing things. If you aren't running Layer3 I highly recommend separating this traffic to its own dedicated VLAN (one for HA1 and one for HA2).
07-28-2022 06:12 PM
I'm kind of confused on what you're asking. Adding a switch(es) behind your firewalls isn't a problem at all. You just need to make sure that you've configured everything so that the traffic can reach your firewall properly and ensure that your firewalls routing is setup properly as well. You don't need to do anything with the HA links if you're just adding a switch(es) behind the hardware.
If you want to run your HA links through a switch that's also perfectly fine if you want to locate the devices in physical diverse areas that prevent direct connection. Depending on latency you might have to play around with HA timers, but that's really the only gotcha.
You'd likely want to enable encryption on your control (HA1) links if these are directly connected for additional security if you choose to route these connections through the network. Also keep in mind that depending on the network, you'll want to set the data link (HA2) transport to Ethernet (layer2) or IP (layer3) depending on how your routing things. If you aren't running Layer3 I highly recommend separating this traffic to its own dedicated VLAN (one for HA1 and one for HA2).
07-29-2022 11:37 AM
Hello,
If you have a quick drawing, that could help us answer your questions.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
