High Availability for Firewalls in diferent locations over Layer 3 network

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

High Availability for Firewalls in diferent locations over Layer 3 network

L0 Member

Is it possible to configure high availability between Palo Alto VM series Firewalls that are located in different buildings over a network to connect both firewalls?

 

I have two VM-300 Firewalls that are Active/Pasive with Global Protect in the same physical Server, which will result in a single point of failure. Recently there was an electrical issue and the server went down. Since both firewalls are in the same server, the remote users were not able to connect to company network.

Is there a way I can configure HA between one of those Firewalls and a new one that would be located in another building, separated by layer 3 network, so that in case something happen with one building, the Firewall in the other building would take the traffic? I know there have to be routing protocol in between which is fine but I am concern if the High Availability can be configured for two separate firewalls.

1 accepted solution

Accepted Solutions

Yes, it has been done many times as long as the latency is fine.  PANW unofficially recommends 20ms or better between firewalls.  Customers have reported it works fine with 80-120ms.  Check out this video starting at 1 hour 15 minutes.  Bandwidth should also be considered.  https://www.youtube.com/watch?v=4hFQypgOAGk&t=4665s

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@samuel.lora3,

That'll work fine, the only think thing that you'll really have to be mindful of is possible adjustments required for HA timers depending on the quality of that connection. 

 

https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/about-the-vm-series-firewall/v...

L0 Member

@BPry 

Thanks for the reply and the link. I am reading through this topic. I would simulate it first to know how feasible will be for my network topology.

Yes, it has been done many times as long as the latency is fine.  PANW unofficially recommends 20ms or better between firewalls.  Customers have reported it works fine with 80-120ms.  Check out this video starting at 1 hour 15 minutes.  Bandwidth should also be considered.  https://www.youtube.com/watch?v=4hFQypgOAGk&t=4665s

 

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hello,

Also please consider everything in the HA path, i.e. switches, routers other devices, etc. Make sure they all have battery backup and/or alternative power sources.

 

Regards,

  • 1 accepted solution
  • 5112 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!