adding Switches to HA Pair

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

adding Switches to HA Pair

L1 Bithead

I would like to add a 24-port switch to each Palo.  To maintain HA redundancy, I just have to run the HA Control across the switches right?  Does the Session Link have to go through the switches too? 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@rlambright,

I'm kind of confused on what you're asking. Adding a switch(es) behind your firewalls isn't a problem at all. You just need to make sure that you've configured everything so that the traffic can reach your firewall properly and ensure that your firewalls routing is setup properly as well. You don't need to do anything with the HA links if you're just adding a switch(es) behind the hardware. 

 

If you want to run your HA links through a switch that's also perfectly fine if you want to locate the devices in physical diverse areas that prevent direct connection. Depending on latency you might have to play around with HA timers, but that's really the only gotcha. 

You'd likely want to enable encryption on your control (HA1) links if these are directly connected for additional security if you choose to route these connections through the network. Also keep in mind that depending on the network, you'll want to set the data link (HA2) transport to Ethernet (layer2) or IP (layer3) depending on how your routing things. If you aren't running Layer3 I highly recommend separating this traffic to its own dedicated VLAN (one for HA1 and one for HA2). 

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

@rlambright,

I'm kind of confused on what you're asking. Adding a switch(es) behind your firewalls isn't a problem at all. You just need to make sure that you've configured everything so that the traffic can reach your firewall properly and ensure that your firewalls routing is setup properly as well. You don't need to do anything with the HA links if you're just adding a switch(es) behind the hardware. 

 

If you want to run your HA links through a switch that's also perfectly fine if you want to locate the devices in physical diverse areas that prevent direct connection. Depending on latency you might have to play around with HA timers, but that's really the only gotcha. 

You'd likely want to enable encryption on your control (HA1) links if these are directly connected for additional security if you choose to route these connections through the network. Also keep in mind that depending on the network, you'll want to set the data link (HA2) transport to Ethernet (layer2) or IP (layer3) depending on how your routing things. If you aren't running Layer3 I highly recommend separating this traffic to its own dedicated VLAN (one for HA1 and one for HA2). 

Cyber Elite
Cyber Elite

Hello,

If you have a quick drawing, that could help us answer your questions.

 

Regards,

  • 1 accepted solution
  • 3317 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!