This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Designing Networks with Palo Alto Networks Firewalls

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Designing Networks with Palo Alto Networks Firewalls

Go to solution
kchopra01
L2 Linker

‎04-19-2018 12:56 PM

Hi All technical people ,

 

I have a simple query . I want to use PA firewall in HA and with a single ISP . In this case , as obvious, I need to use a switch in between my firewall and ISP and my understanding is clear upto this point but the real problem starts when I have to use two switches in between firewall and ISP for redundancy. 

'My query is how can I achieve this ???? Do I to place 2 switches in stack and configure aggregate interfaces ?? or do I have another option of achieving the same ??

 

Pls help

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to kchopra01

‎04-20-2018 08:48 AM

Since your drawing only has one ISP, If the switch that the ISP plugs into fails, you wont have connectivity (unless you manually move cables around). If you add another ISP into the drawing, then that ISP will remain up and PA1 (the active one i'm guessing) would be able to get out via ISP2 plugged into switch 2. Now this works for outbound traffic. If you are hosting something internally, its a different story.

View solution in original post

0 Likes Likes
14 REPLIES 14

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-20-2018 07:19 AM

Hello,

If you only have 1 link/drop from the ISP, then I would say use only one switch, only because you already have a single point of failure. If you could get a second drop from the ISP (what I would recommend) with the notion that only one would be used at a time then an external switch is not required and plug the ISP into each PAN.

 

image.png

 

Hope that helps.

0 Likes Likes

Go to solution
kchopra01
L2 Linker
In response to OtakarKlier

‎04-20-2018 07:32 AM

Hey thanks for converting my words into a diagram....

But see lets suppose I am using single switch , so here the problem is that my whole network is relying on this single switch..

I actually want to use 2 switches so that if one fails , network is still up.....Please guide me on that..

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to kchopra01

‎04-20-2018 07:43 AM - edited ‎04-20-2018 07:43 AM

Hey no worries. So with two switches, you still have a single point of failure, e.g. the ISP. Here is a simple way of setting it up with two switches.

 

image.png

While you could get more complicated, I prefer the K.I.S.S model and with 1 ISP I dont see the need for additional complexity.

 

Since you only have one drop from the ISP, it can only go into 1 switch so if the switch that the ISP plugs into reboots or fails, the second switch doesnt provide any additional resiliency. Hence no real reason to have it, just my opinion.

0 Likes Likes

Go to solution
kchopra01
L2 Linker
In response to OtakarKlier

‎04-20-2018 07:48 AM

Yeah You are right ! Oke I will be attaching rough diagram of my network in just few minutes so that I can tell you what is in my mind..

 

Meanwhile, Tell me one thing that If we go for 2nd ISP's , then how will be the network connectivity ??? I mean the purpose is full redundancy..

 

 

0 Likes Likes

Go to solution
kchopra01
L2 Linker
In response to kchopra01

‎04-20-2018 08:01 AM

waiting for your reply..

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to kchopra01

‎04-20-2018 08:20 AM

Hello,

It would look something like this:

image.png

Then you have several options when it comes to routing. The simplest would be use 1 ISP as primary and then the second as backup. But there are other options.

0 Likes Likes

Go to solution
kchopra01
L2 Linker
In response to OtakarKlier

‎04-20-2018 08:32 AM

Hey thanks
As I will be load balancing two ISP's ...and in this case , traffic from active (1st one ) firewall towards second ISP is not possible ...right ?
0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to kchopra01

‎04-20-2018 08:37 AM

So load balancing, not so much, but failover resiliency is supported.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/policy-based-forwarding/use-c...

 

 

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎04-20-2018 08:38 AM

OK i take that back. you could use ECMP:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-...

0 Likes Likes

Go to solution
kchopra01
L2 Linker
In response to OtakarKlier

‎04-20-2018 08:42 AM

now I am attaching a rough network diagram . this will give you idea of what I have in mind for redundant network .

20180420_202833.jpg

 

now even if one switch fails, i would be able to communicate with second switch .. 

correct me if my above approach is wrong....

0 Likes Likes

Go to solution
kchopra01
L2 Linker
In response to OtakarKlier

‎04-20-2018 08:44 AM

Yes ....you are right I can use ECMP but the point is how would be my network look like ?? Is it the same way what I have attached above ...

 

My only query was how my physical connectivity would be if I want full redundant network .....i mean 2 firewalls and 2 switches and maybe 2 ISP's ..\

 

thanks

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to kchopra01

‎04-20-2018 08:48 AM

Since your drawing only has one ISP, If the switch that the ISP plugs into fails, you wont have connectivity (unless you manually move cables around). If you add another ISP into the drawing, then that ISP will remain up and PA1 (the active one i'm guessing) would be able to get out via ISP2 plugged into switch 2. Now this works for outbound traffic. If you are hosting something internally, its a different story.

0 Likes Likes

Go to solution
kchopra01
L2 Linker
In response to OtakarKlier

‎04-20-2018 09:05 AM

yes obviously i need to add 2nd ISP .

 

But this approach is correct right ? I mean,  one wire from 1st ISP will be plugged into a switch and one wire from 2nd ISP would be plugged into same switch ..right ? ...I am referring these two switches as single switch because they are in stack....

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to kchopra01

‎04-20-2018 09:32 AM

Yes, for outbound internet traffic. Obviously plug each ISP into a different switch. 

0 Likes Likes
  • 1 accepted solution
  • 6719 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks