04-06-2021 09:40 AM
Hi,
ISP Primary>>Fortigate Active >> Paloalt Active
ISP Standby >>Fortigate Passive >> Paloalto Passive
we have ISP is connected with FortiGate Active Firewall and FortiGate which is directly connected with Paloalto Active Firewall same as ISP standby is connected with Fortigate Passive Firewall which directly connected with Paloalto Passive firewall.
As we have configured the link monitoring between Paloalto and fortigate. For any reason, if FortiGate is not working then it’s shifts their traffic from FortiGate active to FortiGate passive firewall and also shifts their traffic Paloalto active firewall to Paloalto passive firewall.
Now our query is that if we make forcefully do the FortiGate active to the passive firewall. Will the Paloalto firewall changes their state from active to passive or not.
04-08-2021 03:01 AM - edited 04-08-2021 03:05 AM
It sounds good if the passive fortigate blocks the traffic to (8.8.8.8) as I am not fortigate expert but be carefull even when the connected fortigate to palo alto becomes passive if there is dunamic routing and so on it is possible the icmp health monitor probes to go from Palo Alto firewall to the other fortigate that is active and the palo alto will not failover.
If the path is as in the picture and for the active palo alto to reach 8.8.8.8 when the fortigate that is on top of it failovers then the active firewall will send the icmp to the standby palo alto firewall and it will be discarded and the path monitoring failover will work.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcACAS
You only need to make certain that there are no other network paths that you have noshow in the provided picture for the palo Alto firewall icmp probes.
04-07-2021 02:55 AM - edited 04-07-2021 02:58 AM
If the palo Alto path monitoring is to a floating/VRRP etc. IP address on the fortigate (or the ip address on something else after the fortigate) and you make so that this ip is only reachable by the path monitoring using routing and security only when the fortigate next to the palo alto is active. In other words the path monitoring icmp probes should only work on left active palo alto firewall, when the fortigate on the left is also active.
04-07-2021 04:23 AM
My question is that if i forcefully change the state fortigate active firewall to passive firewall.Did paloalto will change there status automatically from active to passive or not.
04-07-2021 04:38 AM
This is not a specific Palo Alto question as it depends if you have set up the path monitoring IP correctly and the routing and security but that is the idea of path monitoring to switch between firewalls being active or passive:
04-07-2021 10:06 PM
Thank for your message.
In case the path monitoring is configured with the PA IP of the port which is connected to FG as source and 8.8.8.8 as destination , when FG become slave the PA connected port to FG will not be able to reach the 8.8.8.8 and then the PA become slave .
Can that be done with Path monitoring ? if yes please suggest
04-08-2021 03:01 AM - edited 04-08-2021 03:05 AM
It sounds good if the passive fortigate blocks the traffic to (8.8.8.8) as I am not fortigate expert but be carefull even when the connected fortigate to palo alto becomes passive if there is dunamic routing and so on it is possible the icmp health monitor probes to go from Palo Alto firewall to the other fortigate that is active and the palo alto will not failover.
If the path is as in the picture and for the active palo alto to reach 8.8.8.8 when the fortigate that is on top of it failovers then the active firewall will send the icmp to the standby palo alto firewall and it will be discarded and the path monitoring failover will work.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcACAS
You only need to make certain that there are no other network paths that you have noshow in the provided picture for the palo Alto firewall icmp probes.
04-08-2021 02:34 PM
Hello,
Just curious as to why you have two firewalls in line like this? I know it was a practice back in the day. However with a properly licensed and configured Palo Alto, you dont need this.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
