- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-02-2022 06:42 AM
Has anyone had some hands on experiences with the new clustering features? I've read a bit on them, but like the post below, am struggling to make sense of the actual functionality/workability of the finer details needed for this setup as to how it exactly functions for multi data center scalability. Curious as to how the addressing scheme works in situations where you have multiple active data centers.
https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-network-topology/m-p/365084#M88535
02-04-2022 02:18 PM
Depends on the use case. If the goal is service survivability (failover), then clustering is great! Because the session data lives between all the HA pairs.
If the goal is more horizontal scaling (aka utilizing both DCs in real time) that is obviously best accomplished frontended or sandwiched by load balancers.
Not an expert by any means, but have 1 customer running this in prod and know the PM for the feature. What questions can I check on for you?
04-12-2022 01:38 AM - edited 04-12-2022 01:41 AM
Hi Slick,
We have been trying to configure HA Cluster in our lab environment. We have already tried on two architecture:
i) Three sites as an Active.
ii) Active/Passive as in DC and Standalone (Active) as in DR
We raised multiple tickets in support portals but none of the representative were able to support effectively on this. What actually HA Cluster does? If the primary firewall goes down, it is responsible for session synchronization to the cluster members and traffic should to transferred to another member on the cluster, right? Since, configuration on all of the devices are same. We got ARP conflict on each of the firewall in the cluster. But, we assumed that it would be managed by the clustering itself right? We got some ip conflict related issues.
The KB we referred is:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/ha-clustering-overview
04-12-2022 08:20 AM
I believe there is a single support team for this feature, which is why we highly recommend this feature be implemented through professional services. Yes, if a firewall pair goes down then the cluster should pick a new cluster member to move traffic to.
The ARP and IP addresses become the same through the failover. That's how a seamless failover event is created. For example, I have an A/P firewall pair right now, if the primary fails, the same MAC/IP addresses are taken by the passive. Same concept in HA4
04-14-2022 08:29 AM
@LAYER_8 I thought that the mac/ip addresses were completely different in a cluster setup - it was specifically just for state? MAC/IP only stay the same in an HA pair, not throughout the cluster?
04-14-2022 11:58 AM
Ah yes, worthwhile correction. Apologies
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!