We have an active/passive 3020 and in from of them we have an A10 Load balancers. We want to change our current configuration so we can have a load balance between our two ISPs.
What is the best practice regarding the Palo Alto? Which would it be the best architecture in this case scenario?
If you want to load balance GlobalProtect connections you'll need to configure a second VR so that you can use the secondary ISP connection for another gateway. Then in your portal configuration you'll need to load-balance your users through both gateways.
Is their any reason that you want to replace the A10 load-balancers and terminate directly on the firewall?
Hello @BPry ,
I do not want to replace my A10. My mistake if I did not explain myself in the best possible way.
We currently have Global Protect working but with just one public IP address. We are using our A10 for other services (web server, etc) but we are not using to balance our GP links.
We want to start using the public IP address of our second ISPs so we can balance the load between both path.
Hope I explained better.
This is where it could get a bit messy. Are the A10's designed and setup to take in multiple sources and push then to 1 IP/client? This is typically reverse of what load balancers do. Then you have the DNS issue where your public DNS for your GlobalProtect clients has two IP entries, this is just DNS round robin, so technically no need for the A10's sine DNS is handling it and you only have 1 active PAN to service the clients.
Since we dont know the reasons behind this, its tough to advise. However I am a fan of the KIS model (keep it simple).
That's what I thought. it is reverse of what a load balancers usually do.
The reason behind this is because of the CoVID Pandemic, we have almost 80% of our users working from home and we want to prevent any saturation in one of our links by balancing the connections between the two Public IP Addresses that we have instead of one.
But as you mentioned, both connections would be received by the same firewall so the saturation would happen any way. Am I right?
I would look into splitting the traffic:
i.e. VPN traffic comes in over ISP A and regular web browsing traffic goes out ISP B, or something similar.
However increasing bandwidth would be the easiest way to make sure you dont run out of bandwidth.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!