Designing Networks with Palo Alto Networks Firewalls

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Designing Networks with Palo Alto Networks Firewalls

L2 Linker

Hi All technical people ,

 

I have a simple query . I want to use PA firewall in HA and with a single ISP . In this case , as obvious, I need to use a switch in between my firewall and ISP and my understanding is clear upto this point but the real problem starts when I have to use two switches in between firewall and ISP for redundancy. 

'My query is how can I achieve this ???? Do I to place 2 switches in stack and configure aggregate interfaces ?? or do I have another option of achieving the same ??

 

Pls help

1 accepted solution

Accepted Solutions

Since your drawing only has one ISP, If the switch that the ISP plugs into fails, you wont have connectivity (unless you manually move cables around). If you add another ISP into the drawing, then that ISP will remain up and PA1 (the active one i'm guessing) would be able to get out via ISP2 plugged into switch 2. Now this works for outbound traffic. If you are hosting something internally, its a different story.

View solution in original post

14 REPLIES 14

Cyber Elite
Cyber Elite

Hello,

If you only have 1 link/drop from the ISP, then I would say use only one switch, only because you already have a single point of failure. If you could get a second drop from the ISP (what I would recommend) with the notion that only one would be used at a time then an external switch is not required and plug the ISP into each PAN.

 

image.png

 

Hope that helps.

Hey thanks for converting my words into a diagram....

But see lets suppose I am using single switch , so here the problem is that my whole network is relying on this single switch..

I actually want to use 2 switches so that if one fails , network is still up.....Please guide me on that..

Hey no worries. So with two switches, you still have a single point of failure, e.g. the ISP. Here is a simple way of setting it up with two switches.

 

image.png

While you could get more complicated, I prefer the K.I.S.S model and with 1 ISP I dont see the need for additional complexity.

 

Since you only have one drop from the ISP, it can only go into 1 switch so if the switch that the ISP plugs into reboots or fails, the second switch doesnt provide any additional resiliency. Hence no real reason to have it, just my opinion.

Yeah You are right ! Oke I will be attaching rough diagram of my network in just few minutes so that I can tell you what is in my mind..

 

Meanwhile, Tell me one thing that If we go for 2nd ISP's , then how will be the network connectivity ??? I mean the purpose is full redundancy..

 

 

waiting for your reply..

Hello,

It would look something like this:

image.png

Then you have several options when it comes to routing. The simplest would be use 1 ISP as primary and then the second as backup. But there are other options.

Hey thanks
As I will be load balancing two ISP's ...and in this case , traffic from active (1st one ) firewall towards second ISP is not possible ...right ?

So load balancing, not so much, but failover resiliency is supported.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/policy-based-forwarding/use-c...

 

 

now I am attaching a rough network diagram . this will give you idea of what I have in mind for redundant network .

20180420_202833.jpg

 

now even if one switch fails, i would be able to communicate with second switch .. 

correct me if my above approach is wrong....

Yes ....you are right I can use ECMP but the point is how would be my network look like ?? Is it the same way what I have attached above ...

 

My only query was how my physical connectivity would be if I want full redundant network .....i mean 2 firewalls and 2 switches and maybe 2 ISP's ..\

 

thanks

Since your drawing only has one ISP, If the switch that the ISP plugs into fails, you wont have connectivity (unless you manually move cables around). If you add another ISP into the drawing, then that ISP will remain up and PA1 (the active one i'm guessing) would be able to get out via ISP2 plugged into switch 2. Now this works for outbound traffic. If you are hosting something internally, its a different story.

yes obviously i need to add 2nd ISP .

 

But this approach is correct right ? I mean,  one wire from 1st ISP will be plugged into a switch and one wire from 2nd ISP would be plugged into same switch ..right ? ...I am referring these two switches as single switch because they are in stack....

Yes, for outbound internet traffic. Obviously plug each ISP into a different switch. 

  • 1 accepted solution
  • 6717 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!