05-31-2012 09:57 PM
Hi Team,..
We have two different ISP's as shown in attached scenario, Is it possible to use again both ISP's when any one of the firewall is down.
Thank you,...
Gururaj.
06-01-2012 10:02 AM
Hi...Do you have a single pool of public IPs or 2 pools (1 IP pool per ISP)? For outbound traffic it should be straight-forward and you NAT according to the path taken. For inbound traffic and inbound NAT, it would work if you have a single IP pool. If you have 2 IP pools, then the ISP may not recognize the other ISP's IP pool.
You also will need to consider which ISP will be the default route if you're using static routes, or how to distribute the routes if running BGP. Again, this works well with a single IP pool and more complex if you have 2 IP pools. You can also use PBF to help wiht the failover.
Here's the A/A HA Tech Notes to help: https://live.paloaltonetworks.com/docs/DOC-2541. Thanks.
06-03-2012 10:49 PM
Hi rmonvon,..
We have two different IP pools for two ISP's,....Are you sure that we can use PBF in HA Active/Active cluster,...Because for each firewall in PBF next hop will be defferent, But if we do commit after creatin PBF will over write the configuration of another firewall,.then the next hop will be same on both firewall's.
Thanks,.
06-04-2012 12:40 PM
My mistake on the PBF and you don't need it. I was mixing your A/A HA design with A/P HA. With that, you may not need the cross-connects (PA1 to ISP2, PA2 to ISP1).
Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
