09-02-2021 05:10 PM
Hi,
I finally received my pair of 3250s and noticed there is the HSCI port used for HA. I didn't realize this before purchasing, so I do not have the cable. Is there a reason why I can't just dedicate an interface for HA to use for HA2?
In case it matters, these firewalls will be located on internet edge.
09-03-2021 10:59 AM - edited 09-04-2021 07:27 AM
Good question! How do you size the HA2 links? I haven't seen any documentation on this, but I ran into this video on YouTube -> https://www.youtube.com/watch?v=4hFQypgOAGk. Go to 1:15:47.
If my math is correct, the PA-3250 supports 63,700 connections per second which requires 122 Mbps over Ethernet. In this table, I would populate the IP and UDP headers if used. The Bytes per Connection is the total of the indented rows. The Total Bits per Second = row1*row2*row7.
Connections per Second 63,700
Bytes per Connection 238
Session Sync Bytes 220
Ethernet Header/FCS 18
IP header (20) 0
UDP Header (8) 0
Bits per Byte 8
Total Bits per Second 121,284,800
So, GE or higher is plenty, assuming the bytes per connection in the video is correct.
09-03-2021 10:22 AM
Hey Ce1028,
we have our 3250's on the edge configured with one of the ethernet ports for HA2 instead of the HSCI ports and have not had issues during our failovers.
I am not sure if there are any cons to this setup that someone else can speak to, besides losing one of our available ethernet ports, but we have had no issues.
09-03-2021 10:59 AM - edited 09-04-2021 07:27 AM
Good question! How do you size the HA2 links? I haven't seen any documentation on this, but I ran into this video on YouTube -> https://www.youtube.com/watch?v=4hFQypgOAGk. Go to 1:15:47.
If my math is correct, the PA-3250 supports 63,700 connections per second which requires 122 Mbps over Ethernet. In this table, I would populate the IP and UDP headers if used. The Bytes per Connection is the total of the indented rows. The Total Bits per Second = row1*row2*row7.
Connections per Second 63,700
Bytes per Connection 238
Session Sync Bytes 220
Ethernet Header/FCS 18
IP header (20) 0
UDP Header (8) 0
Bits per Byte 8
Total Bits per Second 121,284,800
So, GE or higher is plenty, assuming the bytes per connection in the video is correct.
09-03-2021 02:02 PM
Hello,
Yeah my sales team got an earful with our purchase, but we knew ahead of time, luckily. I also asked them to just include the cable since we already paid so much for the devices. Oh well, we did the same and just used 10GB gbics for ours. I preferred the legacy rj45, but I know it wont work in every case.
Regards,
09-05-2021 08:35 AM
@OtakarKlier @sellington @TomYoung appreciate your responses.
For the price, they should be including the cable for sure.
Interesting video. I won't have even half the maximum session/second that the fw supports, so my assumption is just using a 1GB port should be more than adequate. I am using 1GB port on current 3050. I wouldn't want to risk running into any problems though. Decisions decisions
09-07-2021 12:50 PM
Exactly! I think you should be fine. The video guy was a PANW engineer. The data is probably accurate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
