Hi folks,
I am learning (self training at this point) about my company's two Palo Alto 3020 devices in our datacenter. We are currently only using one device for our routing, firewall, etc. I am tasked with eventually configuring the second one as HA and the switches below it as redundant.
As I am continue in the self paced learning, I put together a rough diagram of our intentions. I've attached it and have some basic questions so far, in case I may get some feedback from the community.
Does this look like something that may be done with just one ISP public IP address?
The secondary PA 3020 would be standby and would be configured identical, correct? So no need for additional IP addresses for L3 interfaces?
Would VLAN1 (V1) have to have at least one L3 interface (for routing) and the redundant connections L2?
Appreciate any feedback. 🙂
setting up the secondary should be real easy:
provide it with a management IP address, set up the basic HighAvailability attributes on both devices (same cluster ID, matching HA1 IP subnet, ...), then hook up the HA cables and instruct the primary device to sync it's configuration over to the secondary
caveat: when you configure HA on the primary, the MAC addresses on your interfaces will change as you will switch to a cluster MAC rather than a physical MAC, this allows the cluster to pass the IP addresses back and forth. your switches will want to be made aware 😉 (clear arp cache)
tip: HA2 does not need an IP address if transport mode is 'ethernet'
if you want your design to work (so have an additional redundant interface to switch 2) I'd recommend using 2 layer2 interfaces with a virtual layer3 interface configured for routing: Getting Started: Layer 2 Interfaces
otherwise you can simply hook each firewall to it's own switch and enable link monitoring in the HA configuration so if the switch were to fail, the cluster also fails over. that way you can use a layer3 interface for the inside
(which is slightly easier to configure)
caveat: for link monitoring on a passive device you need to set it's "passive link state" to auto, else it's interfaces will be down and unable to monitor link state
hope this helps
setting up the secondary should be real easy:
provide it with a management IP address, set up the basic HighAvailability attributes on both devices (same cluster ID, matching HA1 IP subnet, ...), then hook up the HA cables and instruct the primary device to sync it's configuration over to the secondary
caveat: when you configure HA on the primary, the MAC addresses on your interfaces will change as you will switch to a cluster MAC rather than a physical MAC, this allows the cluster to pass the IP addresses back and forth. your switches will want to be made aware 😉 (clear arp cache)
tip: HA2 does not need an IP address if transport mode is 'ethernet'
if you want your design to work (so have an additional redundant interface to switch 2) I'd recommend using 2 layer2 interfaces with a virtual layer3 interface configured for routing: Getting Started: Layer 2 Interfaces
otherwise you can simply hook each firewall to it's own switch and enable link monitoring in the HA configuration so if the switch were to fail, the cluster also fails over. that way you can use a layer3 interface for the inside
(which is slightly easier to configure)
caveat: for link monitoring on a passive device you need to set it's "passive link state" to auto, else it's interfaces will be down and unable to monitor link state
hope this helps
