08-30-2023 09:28 PM
Hi all,
I am considering network design that have:
- Dual ISP (public IP /29 for each)
- 2 x PA with active/active HA
- PA connects directly to L2 networks (LAN)
Requires:
Load sharing between 2 ISP Internet links
Problems:
Is it possible to configure separated nat for each?
How session can failover to remaining PA? Do I need Floating IP for WAN public?
09-01-2023 05:33 AM
Hi @nw-rogox ,
Active/active does give you the advantage of doubling your NGFW throughput. However, in a failure scenario the throughput is cut in half which may not be desirable. The additional complexity of active/active is generally not recommended. Designs that are too complex tend to not only be a pain to configure as you are feeling now, but they also tend to be a pain to maintain, i.e., new problems may come up in the future.
For example, you cannot use a floating IP address in NAT unless you have a common BGP public IP across both ISPs.
I do not know of any documents to help you. I did do a quick Google search and saw a couple videos you may look at. They both used the switch to connect the dual ISPs to both NGFWs.
Sorry! That is all I have.
Thanks,
Tom
08-31-2023 05:49 AM
Hi @nw-rogox ,
I would configure active/passive HA. It is less complex than active/active.
Thanks,
Tom
09-01-2023 02:38 AM
Hi Tom,
Much appreciated your support.
As your idea, I need to add 1 physical uplink connection for each PA, but from ISP to PA Firewall, they provide the single RJ45 port via MediaConverter, not switches. However, I am consider to expand the connections as your idea.
One thing that, if I use active/active mode, I can leverage the both firewall resources same time, could you give some document or ideas to establish active/active HA with both firewall facing Internet with public IP?
I tried and in ActiveActive mode, it require NAT to the Floating IP, not accept the interface's IP as usual.
09-01-2023 05:33 AM
Hi @nw-rogox ,
Active/active does give you the advantage of doubling your NGFW throughput. However, in a failure scenario the throughput is cut in half which may not be desirable. The additional complexity of active/active is generally not recommended. Designs that are too complex tend to not only be a pain to configure as you are feeling now, but they also tend to be a pain to maintain, i.e., new problems may come up in the future.
For example, you cannot use a floating IP address in NAT unless you have a common BGP public IP across both ISPs.
I do not know of any documents to help you. I did do a quick Google search and saw a couple videos you may look at. They both used the switch to connect the dual ISPs to both NGFWs.
Sorry! That is all I have.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
