This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Do I need to deploy a switch between 2xPA firewall (Active-Passive) and 1xJuniper MX router ?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Do I need to deploy a switch between 2xPA firewall (Active-Passive) and 1xJuniper MX router ?

wsf7528
L1 Bithead

‎01-16-2024 09:36 PM

Do I need to deploy a switch between PA firewall (AP) and a Juniper Router in order to have an aggregate ethernet interface (AE) connected? Please refer to the diagram attached.

 

The setup is below:

 

PA-1 (A)-------------PA-2 (P)

|                              |

|                              |

|          LACP           |

 

Juniper router

 

 

Preview file
38 KB
0 Likes Likes
5 REPLIES 5

wsf7528
L1 Bithead

‎01-16-2024 11:21 PM

Here is the diagram.image.png

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎01-17-2024 02:23 PM

Hello,

I cannot say for sure, but shouldnt have to. The Juniper will just see the connection to the passive PAN as down.

Regards,

wsf7528
L1 Bithead
In response to OtakarKlier

‎01-17-2024 03:08 PM

Thanks for your reply Otakar, from PA AP, it can keep track of the ae0 link, in case the ae0 (1xchild interface only) is not response ping or down, the Active PA can trigger a failover to the passive one. 

However, I might think about if the traffic will go through ae1 link since the link is up on Passive PA and it will blackhole the traffice.

Or you think the traffic won't go through the ae1 between MX and PA-passive FW?  

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite

‎01-18-2024 05:48 AM - edited ‎01-18-2024 05:49 AM

Device > High Availability > General

 

If it is Shutdown then Juniper sees AE1 as down.

If it is set to Auto then AE1 link is up but passive Palo is not responding to ARP requests so if Juniper don't have any ARP entries pointing to AE1 it should not send any traffic towards it.

 

Benefit with auto is that you can have LACP pre-negotiated on passive Palo and failover takes less time.

 

Raido_Rattameister_0-1705585500104.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

wsf7528
L1 Bithead

‎01-19-2024 05:02 PM

Thanks chaps!

0 Likes Likes
  • 1188 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks