Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Dual PA220 Active-Active with Active-Active Service Provider Links and GP Autofailover

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dual PA220 Active-Active with Active-Active Service Provider Links and GP Autofailover

L1 Bithead

Hello Family,

 

I have a pair of PA220 in Active/Standby mode, I know datasheet of PA220 is as below:

 

Firewall throughput (HTTP/appmix)* 545/535 Mbps

Threat Prevention throughput (HTTP/appmix)† 265/320 Mbps

IPsec VPN throughput‡ 550 Mbps

Max sessions 64,000

New sessions per second§ 4,200

 

I already have a 250Mbps service provider internet link, and would like to add another due to office getting bigger, but would prefer I utilize the complete 500Mbps I'd have fully without getting the SDWAN license, and the PANs and links should also act as failover for each other incase one goes down.

 

I want to terminate one ISP on say PAN1 and the other on PAN2 and have them in a HA situation that they are both active. Also, I'd be doing IPSec to my workload in AWS, I'm guessing I'd create a tunnel from both PANs to AWS and probably utilize ECMP.

 

From my GP perspective, how do I also make sure public IPs from both ISPs are referenced to give me better availability.

 

Has anyone done this use case and have any pointers or blogged about it?

 

Thanks.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@Tobi_Babatunde,

Why aren't you just using ECMP? That would be the more traditional approach to this and you aren't really losing anything. If you did this as you described you'd still only load balance on a session basis, which is already what ECMP does. Sounds like you're trying to over engineer a solution here when you don't need to outside of having some other considerations that you don't have listed here. 

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

@Tobi_Babatunde,

Why aren't you just using ECMP? That would be the more traditional approach to this and you aren't really losing anything. If you did this as you described you'd still only load balance on a session basis, which is already what ECMP does. Sounds like you're trying to over engineer a solution here when you don't need to outside of having some other considerations that you don't have listed here. 

  • 1 accepted solution
  • 1576 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!