08-18-2021 10:47 AM
Is it possible to configure high availability between Palo Alto VM series Firewalls that are located in different buildings over a network to connect both firewalls?
I have two VM-300 Firewalls that are Active/Pasive with Global Protect in the same physical Server, which will result in a single point of failure. Recently there was an electrical issue and the server went down. Since both firewalls are in the same server, the remote users were not able to connect to company network.
Is there a way I can configure HA between one of those Firewalls and a new one that would be located in another building, separated by layer 3 network, so that in case something happen with one building, the Firewall in the other building would take the traffic? I know there have to be routing protocol in between which is fine but I am concern if the High Availability can be configured for two separate firewalls.
08-19-2021 08:35 PM
Yes, it has been done many times as long as the latency is fine. PANW unofficially recommends 20ms or better between firewalls. Customers have reported it works fine with 80-120ms. Check out this video starting at 1 hour 15 minutes. Bandwidth should also be considered. https://www.youtube.com/watch?v=4hFQypgOAGk&t=4665s
08-18-2021 01:46 PM
That'll work fine, the only think thing that you'll really have to be mindful of is possible adjustments required for HA timers depending on the quality of that connection.
08-18-2021 07:33 PM
Thanks for the reply and the link. I am reading through this topic. I would simulate it first to know how feasible will be for my network topology.
08-19-2021 08:35 PM
Yes, it has been done many times as long as the latency is fine. PANW unofficially recommends 20ms or better between firewalls. Customers have reported it works fine with 80-120ms. Check out this video starting at 1 hour 15 minutes. Bandwidth should also be considered. https://www.youtube.com/watch?v=4hFQypgOAGk&t=4665s
08-20-2021 11:07 AM
Hello,
Also please consider everything in the HA path, i.e. switches, routers other devices, etc. Make sure they all have battery backup and/or alternative power sources.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
