01-22-2026 09:21 AM
having a general discussion about architecture with a colleague and after thoughts from a wider audience.
By deploying my Palo Alto in an Active/Active pair I can connect my firewalls directly to the ISP/MSP and use BGP to control route traffic.
My colleagues suggestion was it still needs the CE router where you can apply a simple zone based firewall/ACL on the router to limit the scope of traffic hitting our firewall. But I don't see any benefit in this. You can use Active/Active to overcome the limitation of needing FHRP for failover.
I was just wondering on other peoples thoughts.
01-22-2026 09:27 AM
Depends if ISP advertises full Internet routing table or only default route (and maybe routes originating from their AS).
01-23-2026 11:32 AM
Hello,
My thoughts on modern design is you dont. But I'm sure there are special cases where you might.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
