05-20-2016 09:59 AM
I see examples of using 2 ISPs with one PA. I also see that senario with Global Connect, Lad Balancing and IPSec Tunnels. However, I do not see where it states these types of senario's can be used in a PA-200 HA senario. Can anyone shead some light on using Dual ISP's with HA Palo Alto Firewalls. I know the fail-over is different on the PA-200, for example no session sync. Thanks in Advance.
05-20-2016 04:14 PM - edited 05-20-2016 04:16 PM
If you are concerned about the Fail over part its a kind of stateless failover.
Means in case if one PA 200 went down there may be 4 to 6 pings packet drops but all the functionality will remain the same.
PA 200 HA--->>> we call it as HA lite means there will not be immediate faiover and may take some time to establish the sessionsas i mentioned above.
In case of 3K,5K series fail over you may see only 1 ping packet drop during a failover in the network
But Again there wiil be no change in kind of configurations and will reamin same similar to the other boxes.
Hope that answers your question
Tarang
05-20-2016 02:50 PM
Hi...Yes, you can use those methods with 2 PAs in HA. You just need to make sure the 2 PAs are connected to both ISPs using the same Ethernet ports so that when a failover occurs, the active PA can reach the 2 ISPs.
05-20-2016 04:14 PM - edited 05-20-2016 04:16 PM
If you are concerned about the Fail over part its a kind of stateless failover.
Means in case if one PA 200 went down there may be 4 to 6 pings packet drops but all the functionality will remain the same.
PA 200 HA--->>> we call it as HA lite means there will not be immediate faiover and may take some time to establish the sessionsas i mentioned above.
In case of 3K,5K series fail over you may see only 1 ping packet drop during a failover in the network
But Again there wiil be no change in kind of configurations and will reamin same similar to the other boxes.
Hope that answers your question
Tarang
06-05-2016 04:21 AM
The other thing to be aware of with inbound services failover like Global connect is how your inbound prefix routing failover will occur when you lose an upstream ISP. Depending on how the route advertisements are working this can take some time for your upstream to remove that path and all your existing sessions to find the new inbound path on the second ISP. Especially if this is an active/passive failover.
Naturally, if you do not have the Glbobal protect prefix available to advertise in both ISP then it cannot failover at all and new connections must be made using the second ISP address space.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
