This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA Clustering Info

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA Clustering Info

VFaticati
L1 Bithead

‎06-09-2022 06:19 AM

Hi all,

i have a question for all:

 

i have two datacenter  in two different city. The datacenters comunication in Layer 2 witn VRRP.

In primary DataCenter (active) i have two FW in Active/Passive (Peer HA), i would configurate a new FW in secondary data center (in passive mode), same model FW, it's possbile? how to configuration this scenario?

 

Thank you.

 

V.A

0 Likes Likes
7 REPLIES 7

OtakarKlier
Cyber Elite
Cyber Elite

‎06-09-2022 07:45 AM

Hello,

Possible yes since your HA interfaces can be any of the interfaces on the PAN. My biggest question would be why? Have the secondary data center PAN standalone and active. You can control routing via OSPF and route metrics.

 

Just my thoughts, I'm sure you have specific requirements.

 

Regards,

0 Likes Likes

VFaticati
L1 Bithead

‎06-09-2022 07:48 AM

the datacenter passive, it's work only for disaster recovery. 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎06-09-2022 07:51 AM

Hello,

I've done similar configs, and my DR data center was active. just disable the inbound NAT's. However you should be able to set it up the way you described.

Just a thought.

0 Likes Likes

VFaticati
L1 Bithead
In response to OtakarKlier

‎06-09-2022 08:02 AM

OK so every FW in the cluster in Active/Passive I have to configure HA1, HA1-Backup, HA2, HA2-Backup and H4, HA4-Backup and all interconnected? Are there any guides?

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite

‎06-09-2022 10:43 AM

Hello,

Hopefully the answer lies in the following:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIbCAK

 

Regards,

0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎06-10-2022 05:17 AM

Hi @VFaticati ,

Can you clarify if I get your question correctly - you want all three firewalls to be in HA cluster and share session information?

If I understand that correctly, it is possible, this feature was introduced in version 10.0, so you need to use 10.1 and above (10.0 is no longer supported).

 

The following gives overview of the feature - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/ha-clustering-overview   As you can see from the link only some devices are supporting such setup, so you may check that as well.

There is also the steps how to configure "HA clustering" - https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/configure-ha-clustering

fyeung
L0 Member
In response to aleksandar.astardzhiev

‎02-27-2023 03:25 PM

Hi @aleksandar.astardzhiev ,

 

For the case you mentioned, is it require a load balancer for session distribution? for my case all of the gateway are required to terminate on PA firewall, and same as @VFaticati , one DC with A/P HA, and the other one is standalone.

 

 

0 Likes Likes
  • 3992 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks