is Cluster possible?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

is Cluster possible?

L0 Member

Hi all,

 

is quick question on above statement. is it possible to configure clusters with Palo Alto?

I do not mean Active/Standby or Active/Active

 

I was not able to find any documentation on this. if this is possible, could someone point me in this direction please?

I want luck with Google/ KB site.

thanks in advance

 

 

6 REPLIES 6

Cyber Elite
Cyber Elite

If you don't mean Active/Standby or Active/Active then what do you mean exactly?

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

I'm assuming you are talking about a cluster in which both Palos share the same IP and both operate in an active/active fashion.  As many of you know when running in Active/Active, you actually have 2 IPs representing each virtual firewall group.  Half of your systems' gateways are configured for 1 IP and the other half to the other IP.  A true cluster would represent both firewalls by sharing a single IP and process traffic on both firewalls.  There are some inbedded technologies on systems that do this, but nothing I've heard on the Palos.  The only way I know of on how to do this is with the use of a load balanacer that sits in front and/or back of the firewalls.  The load balancer has the VIP or single IP and then routes to one of the firewall IPs that is running active/active.  The problem with this solution is that it is not fully redundant.  If you run in this fashion, you could have 75% on one firewall and 75% usage on the other.  If one firewall dies, then you would have 150% usage on one firewall (good luck with that) and you'll DoS your traffic and blow up the firewall in the process.  This is known as running in capacitive mode and not redundancy mode.  Granted you are running in high-availability, just not fully redundant.  This is why so many people run active/passive.  You are truely running N+1 in redundant mode as opposed to N+1/2 or something like that in capacitive mode.

 

There are articles on configuring load balancers to provide you the psuedo clustering you are looking for.  Good luck!

 

https://www.a10networks.com/resources/deployment-guides/a10-networkspalo-alto-networks-joint-firewal...

 

@ScottF Palo active/active can be configured both ways - either have their own IP or they can reply to arp requests with their own MAC address but use same IP. In this case all clients have same gateway IP but some will get arp reply from one active node and others from other.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Both, thank you for the response.

what I meant by cluster, you have two clusters, 1-active the other standby

 

on active cluster you have minimum of 2x devices which are active, and the same amount of devices on the standby cluster

all traffic see as the Active cluster as primary.

all active devices in the primary(active)cluster, their standby is on the standby cluster. 

this design is used for very sensitive traffic, example forex market, where milliseconds count.

 

anyway thanks, radio/ScottF, will check the link too with load balance(but that's not the design I am after)

 

Palo cluster can have 2 devices. Have to be identical model.

Both can be active (usually not suggested) or active/passive.

You can't have more than 2 devices in one cluster.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011


@Shadow wrote:

Both, thank you for the response.

what I meant by cluster, you have two clusters, 1-active the other standby

 

on active cluster you have minimum of 2x devices which are active, and the same amount of devices on the standby cluster

all traffic see as the Active cluster as primary.

all active devices in the primary(active)cluster, their standby is on the standby cluster. 

this design is used for very sensitive traffic, example forex market, where milliseconds count.

 

anyway thanks, radio/ScottF, will check the link too with load balance(but that's not the design I am after)

 


Like what @ScottF already mentioned what you're wanting to do is essentially "front end" your "FW service" with a load balancer that validates if the 2 pairs of FW environments are functional and routing traffic to each service appropriately. 

 

As you mentioned forex, it seems you'd be better off looking for hardware built for that space.

  • 6357 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!