Is it possible to use a Multi-VSYS Palo Alto to have the active-primary on one Palo Alto and a second VSYS Active-Primary on the second Palo Alto in Active-Active HA mode. I've done this on Cisco Active-Active firewalls but I need to do this on a Palo Alto pair.
this sounds very similiar to my original setup and sometimes it worked and sometimes there were issues
Talking to a L3 and my se the office word from PA you need a different NAT pool on each device so NAT pool A on device A and NAT pool B on device B.
Not I spent 2-3 months working through issues about 2 years ago and again recently when i saw this post and thought about trying it again. But I'm back to A/P 😞
what i have is a set of routers to terminate the BGP and create a public network that is streatched between DC in front of the PA so that I can talk to all ISP from either PA.
If you aren't advertising BGP to your ISP's with address space that you own, DON'T USE ACTIVE/ACTIVE FOR INTERNET TRAFFIC. It's really unclear what you are doing but it sounds like you are operating ACTIVE/ACTIVE like ACTIVE/PASSIVE. If this is the case, why not just run ACTIVE/PASSIVE? Or, if you really want to use both ISPs don't run HA at all. Run each locations firewall independently and advertise your default route at both. It sounds like you are making this more complicated than it needs to be.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!