03-26-2020 02:05 AM
I'm not sure if this documentation exists somewhere but I can't seem to find it.
we have a customer with palo alto 5200 series firewall.
due to covid-19 (as is the case with so many companies they are currently production stress testing the firewall with extra load due to teleworking, etc)
the firewall handles it fine. however the ha1 and ha2 interface are seeing high traffic. and the customer is worried that might be an issue if a failover has to happen.
now here's the problem: customer is using 1gb interfaces for both ha1 and ha2 link.
and states that 1gb for ha1 and 1gb for ha2 should be enough.
I would like to counter that as most interfaces on the 5200 series support 10gb speeds( of course for the customer it's a bit of a costly solution if he has to provide 10gb sfp's, 10gb switches, etc in between)
let alone the default hsci and aux can go even above that 10gb
unfortunately I don't find any official documentation/datasheets/recommendations from palo alto stating what speeds they recommend for ha1/ha2 links if you are not using the default configured ones.
does anyone know if this is available somewhere? if not my answer will have to be that seeing as the default ha link is set up for 10gb and up it's reasonable to assume that was done for a reason and not just for bragging rights " look at our 10gb ha sync".
however I get the feeling our customer will only accept that explanation if I can prove it by means of a document/support case which I would like to avoid.
03-26-2020 06:25 AM
for HA1 and HA2 latency is a bigger issue than throughput
with HA3 comes the need for raw bandwidth as you're forwarding streams of actual data over the connection
HA1 and HA2 are syncing system parameters, dynamic routing tables, user ID information and the state table. (mostly text)
these will likely not reach critical bandwidth on 1gbps links
04-01-2020 12:35 AM
The thing is the device is stating high utilization for the ha interfaces.
eg:
IF-FWENOUT01/4 [HA2] Interface:::IF-FWENOUT01/4 [ha2]:::HighUtilization
and it's not like the 5220 is overloaded.
the firewall is under more load due to teleworkers for covid-19. however during the day dataplance cpu is averaging at 40% and amount of sessions is between 60 and 80k (of max of 4194k)
04-15-2021 05:28 PM
Hi PAN Admins,
There was a reply to this thread by a L7 user, which seems to have been removed.
HA1/HA2 speed recommendations for a PA5200 series setup (A/P)
It was indicating that for HA A/P (PA-5200), for HA2 data link 40 GB is an overkill, and since what will be synced are basically plan text (sessions, forwarding tables, IPSec security associations and ARP tables), we should be safe to go with a much less throughput on HA2 link between HA members. The post was saying 1 GB link, but we are looking to have a 10GB setup instead.
Can you please confirm the above is correct or otherwise.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
