06-09-2022 06:19 AM
i have a question for all:
i have two datacenter in two different city. The datacenters comunication in Layer 2 witn VRRP.
In primary DataCenter (active) i have two FW in Active/Passive (Peer HA), i would configurate a new FW in secondary data center (in passive mode), same model FW, it's possbile? how to configuration this scenario?
06-09-2022 07:45 AM
Possible yes since your HA interfaces can be any of the interfaces on the PAN. My biggest question would be why? Have the secondary data center PAN standalone and active. You can control routing via OSPF and route metrics.
Just my thoughts, I'm sure you have specific requirements.
06-09-2022 07:51 AM
I've done similar configs, and my DR data center was active. just disable the inbound NAT's. However you should be able to set it up the way you described.
Just a thought.
06-09-2022 08:02 AM
OK so every FW in the cluster in Active/Passive I have to configure HA1, HA1-Backup, HA2, HA2-Backup and H4, HA4-Backup and all interconnected? Are there any guides?
06-09-2022 10:43 AM
Hopefully the answer lies in the following:
06-10-2022 05:17 AM
Hi @VFaticati ,
Can you clarify if I get your question correctly - you want all three firewalls to be in HA cluster and share session information?
If I understand that correctly, it is possible, this feature was introduced in version 10.0, so you need to use 10.1 and above (10.0 is no longer supported).
The following gives overview of the feature - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/ha-clustering-overview As you can see from the link only some devices are supporting such setup, so you may check that as well.
There is also the steps how to configure "HA clustering" - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/configure-ha-clustering
02-27-2023 03:25 PM
For the case you mentioned, is it require a load balancer for session distribution? for my case all of the gateway are required to terminate on PA firewall, and same as @VFaticati , one DC with A/P HA, and the other one is standalone.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!