Can anyone tell me if HA Active/Active on a PA-500 requires three links in total? As there are limited ports on the PA-500 this may cause an issue.
Also, if this the case - is there any option on having an IPSEC VPN terminating on the passive firewall in an Active/Passive HA configuration (i suspect the answer to this is no).
To answer your questions
1.Yes Active-Active requires 3 ports. Management, State and Routing.
2. No, the passive unit in an Active-Passive Pair cannot accept traffic (by design)
What are you attempting to do, there may be a way to accomplish it in a manner you have not thought of yet.
Thanks for your reply.
We are trying to achieve the following:
2 diversely located firewalls (split by L3 connections) which act as a termination points for SSL VPN, IPSEC VPN, Internet Traffic and several other services.
The link into the main firewall is at risk of becoming oversubscribed and our idea was to share some of the load (i.e. IPSEC VPN) onto the other firewall with its own Internet link.
Problem is that we would still require a failover scenario, so an Active/Active pair requires the additional link and the Active/Passive puts all load onto the Active firewall.
It may be that our only option is to upgrade the Internet link to the main firewall, but we do run the risk of the device itself being degraded by the amount of processing it has to carry out.
We basically thought that the firewall sitting doing minimal processing could be brought into play to even the load.
Are you concerned that amount of traffic you are trying to put through your PA-500 is more than 100 Mbps? (I am assuming your using threat protection and URL filtering)
Active-Active would not provide additional through put, since either device has to be able to handle the traffic that the other unit is managing. (Otherwise your firewalls would be over-subscribed and you end up with fail and not alot of over).
A possible workaround is to have your router do ECMP (Equal Cost MultiPath) or such and run your two PA boxes as separate devices in virtualwire mode. This way you could get 2x100Mbit/s (or whatever limit the 500 boxes have) in throughput between point A and B.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!