08-08-2019 08:04 PM
Hi expert ,
I would like to know about that if that possible or not about use loopback interface on palo alto such as Virtual IP same like VRRP in a scenario don't to downtime use VIP
Thank you
08-08-2019 11:47 PM
Yes, you can use virtual interfaces so an IP is always available independent of an interface's status.
We do not support VRRP, however, in case you also wanted that functionality
08-09-2019 12:40 AM
Hi @Pattarachai,
Can you explain a bit more your setup or what you want to achive?
Like any other vendor Palo Alto support
- active-standby cluster - where you deploy to FWs in HA cluster. Both firewalls share same IP address and in case of failuer on the primary member traffic is handovered to secondary member. Since both member are using same IP address for the rest of the network nothing has changed
- active-active cluster - wher both FWs in the cluster are active and used different IP address. BUT you can configure VIP (floating IP) which can be used by the neighbour devices to forward traffic to only one of the member. In case of failuer the secondary member took over the VIP addresses
- If you want to run VRRP between the FW and a router, so in case of failuer in the firewall the traffic to be send the router, so you will loose security, but will maintain connectivity - Unfortunately that is not possible. Palo Alto doesn't support any First Hop Reduncency protocols (VRRP, HRSP etc)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
