Does Active-Active HA supports more users?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Does Active-Active HA supports more users?

L1 Bithead

Hi Guys,

My company bought a PA firewall a few months back. At that time we had around 85 users and PA technical person suggested that it will handle up to 100 users in our environment. Now, we have around 70 more people who joined our company, so total employees will be around 160. Now I have few questions -


1) If we buy one more firewall (same model) and use it in Active-Active HA mode, will it be able to handle the extra employees we have now? Meaning, (one firewall can handle 100 users), if we have two firewalls, will 200 users will be able to work?


2) Will the VPN users connecting to the firewall will also increase after adding the second firewall?

2 REPLIES 2

Cyber Elite
Cyber Elite

@Satyam,

That's not the purpose of an active-active deployment with PAN at all, unlike say old Cisco ASA deployments. While Active-Active deployments do allow you to process more traffic it's like a 20-30% increase. Active-Active is really designed around asymmetric routing deployments and not clustering. 

Secondly, did your company already install the new firewall or not? It's not entirely clear from your post if the new firewall is even installed or not, but if it is is it showing any signs of stress as-is? It's pretty easy to tell firewall utilization if it's already installed and processing the traffic, and I would recommend going off of the firewall and not some arbitrary user number that doesn't actually mean anything.

Third, sizing of a firewall isn't user dependent it's traffic dependent. A PA-220 could support thousands of users if they weren't processing much traffic. Sounds like whoever sized the original firewall really didn't leave any room for company growth if they were estimating you were already that close to maxing the selected models performance capabilities which was a pretty big mistake. 

L7 Applicator

I agree with @BPry , HA doesn't really increase capability.

Also, what hardware are we dealing with right now? and how much traffic are you having to handle?

Are you decrypting? using GlobalProtect for remote access? etc? All of these things can matter in a deployment, and the number of users you are trying to support.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 1778 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!