This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
High Availability with Virtual Wires?
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- High Availability with Virtual Wires?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
High Availability with Virtual Wires?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-07-2010 07:49 AM
Hi,
I've been looking everywhere and I can only find information on virtual wires being used for path-monitoring in HA. What I'm looking for is if when in HA, do the virtual wires fail over? If they do fail over is there a best practices document detailing how and what type of interfaces fail over? Fail over of a L3 interface makes sense since the new firewall will answer ARP requests for the failed firewall, but how does that work with virtual wires?
Thanks,
Frank
Labels:
- Labels:
-
Configuration
-
Networking
9 REPLIES 9
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-07-2010 06:56 PM
Hello,
Yes Virtual wire pairs can be specified as a failover condition using both Link or Path monitoring.
Path monitoring is where the firewall pings a specific IP address to test for network connectivity.
Pings are sent every 200ms to the configured destination(s).
If there is no response for over 2 seconds , failover is triggered.
For virtual wire pairs you will have to specify an additional address from which the pings will be sourced with the destination addresses.
Regards.
Gary S.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-09-2010 12:24 PM
Can you be more specific? I too am holding off on setting up an HA pair because of this. I would like to see some details on how to do this with Virtual Wire links along with having some "traditional" L3 ports in the configuration.
Example: I have my traditional External/Internal/DMZ L3 ports setup on the PAN, but I also have two ports setup as a Virtual Wire that I send all my WAN traffic through for inbound/outbound scanning of my WAN traffic to remote offices. How will this fail over?
Thanks
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-09-2010 12:32 PM
I should be more specific on my WAN Virtual Wire setup. The Ethernet port from my Cisco WAN router is going in to one of the Virtual Wire ports on the PAN, and the second Virtual Wire port on the PAN is going to my Cisco core switch in the data center. My rules just pass through the data, but I scan for virus/threat/apps to keep my WAN traffic "clean". The core switch in the data center is L3 and routes all WAN traffic to the Cisco WAN router. In the Virtual Wire mode, this is just passing through and the router and switch see no difference with the PAN "in the middle" The Cisco core switch port that connects is a VLAN or L2 switchport.
How do you configure this in an HA pair?
Thanks
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-09-2010 12:34 PM
Hi there,
You can think of Virtual Wires as CAT5 cables. The failover for Virtual Wire is very simple - it's like moving a CAT5 cable from the Primary unit to the Secondary unit. The traffic failover is dependent on the devices on either side of the Vwire detecting the link moved over and reconverging.
As of PANOS 3.1 if one side of the Vwire goes down, the other interface tied to the Vwire will also go down by default. This helps with failover so the surrounding devices will both see the original path is down and re-route.
Cheers,
Kelly
Related Content
- Palo Alto in Virtual wire vs TAP mode. in Next-Generation Firewall Discussions
- Multiple unexpected failovers - need help understanding FW behavior in General Topics
- GlobalProtect Users Unable to Reach Intranet Resources Every Hour/2hrs in GlobalProtect Discussions
- Virtual Wire transition default config ( Tag Allowed ) to layer 2 subinterfaces - Virtual Wire in General Topics
- Multiple Virtual Wires - PA Firewall - TP (IPS) in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks