06-04-2024 12:26 AM
Hi,
we have 2 PA1410 on two different buildings. They act in an active-passive cluster.
On each location is a switch, and the Firewall ist connected with all of its port (ha1a, ha1b, ha2, MGM, Data) to the switch.
The switches are connected though a glasfiber to each other.
Does it make sense, to buy a fiber sfp transceiver for each firewall and connect a ha1-link directly to the other firewall?
Then the HA1 Link is connected through the HA1A Port to the switch and Backup HA1 Link is connected through a sfp Transceiver directly to the other system.
06-04-2024 04:27 AM
If this is not ridiculously expensive, i would recommend you get a secondary ha1(backup) link.
If both ha1 links go through the same fiber, a fiber cut will cause a split brain: both firewalls will become active and claim the IP addresses (dynamic routing and gratuitous arp) which may cause even more trouble to deal with
if you have a physical ha1 backup link, a link failure would be less catastrophic
06-04-2024 06:43 AM
@IT-Esp wrote:
Hi,
we have 2 PA1410 on two different buildings. They act in an active-passive cluster.
On each location is a switch, and the Firewall ist connected with all of its port (ha1a, ha1b, ha2, MGM, Data) to the switch.
The switches are connected though a glasfiber to each other.
Does it make sense, to buy a fiber sfp transceiver for each firewall and connect a ha1-link directly to the other firewall?
Then the HA1 Link is connected through the HA1A Port to the switch and Backup HA1 Link is connected through a sfp Transceiver directly to the other system.
I would say it would depend on how the 2 buildings are already connected to each other and how much do you trust that connectivity?
There was a time that my company's DC was split between 2 geographic location 180+ miles apart and we had a HA A/P FW split across that distance. We used dedicated P2P fiber and we had no issues. Only ever used HA1/HA2 and never used a backup link for HA.
We did use the management port as a heartbeat backup as a fail-safe. Using this design as long as those P2P links between the DCs never went down we never had an issue with split HA across this distance. In this design you can use copper or fiber locally as desired for your HA. I don't really see a reason to pay for yet another fiber link from an ISP to support a HA-backup connection.
06-04-2024 12:40 PM
@IT-Esp We have few PA across the DC running in Active Passive Mode.
We have Two Switches in Each DC running VRRP.
HA1 and HA1B has connection to local switch in each DC.
HA2 we have Single Mode connection directly between the firewalls.
HA2 backup also has connection to Local switch.
We have no issues with this design.
Regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
