08-07-2012 12:25 PM
Internet
|
|
Tier 1 FW
|
|
Tier 2 FW (Palo Alto Firewall) in Active/Passive mode
|
|
Core Switch (HA)
Hi,
Can I connect a pair of Tier 2 firewalls (A/P HA) to a Tier 1 firewall pair (A/P HA) without using a switch(s) in between? there will be 2 UTP from each T1 firewall - 1 to each Palo Alto Firewall.
the main reason is that there's no available switches for the network.
technically will this work? is there any impact to the cluster?
08-07-2012 08:05 PM
I assume when you say UTP, you mean that both active and passive Tier 2 Palo firewalls will each have a ethernet uplink (CAT5e) to the Tier 1 firewalls?
In order for this to work, the uplinks of the Active/Passive Tier 2 firewall cluster which would be placed downstream of the Tier 1 firewall cluster would need to be connected to layer 2 ports which share the same state table on the corresponding upstream Tier 1 firewall (that is....the same ARP and MAC table).
This would be required for HA transition to operate on the Tier 2 firewalls.
I guess it depends on what kind of firewalls the Tier 1 are it may work...if you have Cisco ASAs for example, you might be able to use two layer 2 switch ports to uplink to the Tier 2 firewalls. Or other vendor firewalls might let you put those ports into some kind of layer 2, pass-through mode.
No guarantees here without lab testing though...this is theoretical.
08-20-2012 03:06 PM
There are docs in the documentation area on how to setup two ISP's at once - this would be similar setup (see TFW1 as "ISP1" and TFW2 as "ISP2").
The PA cluster must "ping" each uplink to determine which way is functional.
However in order for this to work without switches in between you need to do a manual full-mesh.
Meaning PA1 is connected with one (or more) wires to TFW1 and with one (or more) wires to TFW2. Where PA2 have the same setup - otherwise you might end up with PA1 is dead so PA2 became active but TFW1 is still active and TFW2 is passive.
As already mentioned you wont need this full-mesh if the passive unit of TFW cluster acts as a L2-device (similar to how HSRP/VRRP works).
Another method is to setup PA as active-active cluster or two single boxes (however the later will most likely demand some sort of loadbalancing before the PA cluster so a specific client will use a specific PA on its way out in order to keep logs in a sane way but also for the appid and flows and stuff in PA to work properly).
You could also use PA-cluster as VWIRE (without active/passive failover) to avoid routing/pbf headache 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
