Designing Networks with Palo Alto Networks Firewalls

Showing results for 
Search instead for 
Did you mean: 

Designing Networks with Palo Alto Networks Firewalls

L2 Linker

Hi All technical people ,


I have a simple query . I want to use PA firewall in HA and with a single ISP . In this case , as obvious, I need to use a switch in between my firewall and ISP and my understanding is clear upto this point but the real problem starts when I have to use two switches in between firewall and ISP for redundancy. 

'My query is how can I achieve this ???? Do I to place 2 switches in stack and configure aggregate interfaces ?? or do I have another option of achieving the same ??


Pls help


Accepted Solutions

Since your drawing only has one ISP, If the switch that the ISP plugs into fails, you wont have connectivity (unless you manually move cables around). If you add another ISP into the drawing, then that ISP will remain up and PA1 (the active one i'm guessing) would be able to get out via ISP2 plugged into switch 2. Now this works for outbound traffic. If you are hosting something internally, its a different story.

View solution in original post


Cyber Elite
Cyber Elite


If you only have 1 link/drop from the ISP, then I would say use only one switch, only because you already have a single point of failure. If you could get a second drop from the ISP (what I would recommend) with the notion that only one would be used at a time then an external switch is not required and plug the ISP into each PAN.




Hope that helps.

Hey thanks for converting my words into a diagram....

But see lets suppose I am using single switch , so here the problem is that my whole network is relying on this single switch..

I actually want to use 2 switches so that if one fails , network is still up.....Please guide me on that..

Hey no worries. So with two switches, you still have a single point of failure, e.g. the ISP. Here is a simple way of setting it up with two switches.



While you could get more complicated, I prefer the K.I.S.S model and with 1 ISP I dont see the need for additional complexity.


Since you only have one drop from the ISP, it can only go into 1 switch so if the switch that the ISP plugs into reboots or fails, the second switch doesnt provide any additional resiliency. Hence no real reason to have it, just my opinion.

Yeah You are right ! Oke I will be attaching rough diagram of my network in just few minutes so that I can tell you what is in my mind..


Meanwhile, Tell me one thing that If we go for 2nd ISP's , then how will be the network connectivity ??? I mean the purpose is full redundancy..



waiting for your reply..


It would look something like this:


Then you have several options when it comes to routing. The simplest would be use 1 ISP as primary and then the second as backup. But there are other options.

Hey thanks
As I will be load balancing two ISP's ...and in this case , traffic from active (1st one ) firewall towards second ISP is not possible ...right ?

So load balancing, not so much, but failover resiliency is supported.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!