ISP Primary>>Fortigate Active >> Paloalt Active
ISP Standby >>Fortigate Passive >> Paloalto Passive
we have ISP is connected with FortiGate Active Firewall and FortiGate which is directly connected with Paloalto Active Firewall same as ISP standby is connected with Fortigate Passive Firewall which directly connected with Paloalto Passive firewall.
As we have configured the link monitoring between Paloalto and fortigate. For any reason, if FortiGate is not working then it’s shifts their traffic from FortiGate active to FortiGate passive firewall and also shifts their traffic Paloalto active firewall to Paloalto passive firewall.
Now our query is that if we make forcefully do the FortiGate active to the passive firewall. Will the Paloalto firewall changes their state from active to passive or not.
It sounds good if the passive fortigate blocks the traffic to (188.8.131.52) as I am not fortigate expert but be carefull even when the connected fortigate to palo alto becomes passive if there is dunamic routing and so on it is possible the icmp health monitor probes to go from Palo Alto firewall to the other fortigate that is active and the palo alto will not failover.
If the path is as in the picture and for the active palo alto to reach 184.108.40.206 when the fortigate that is on top of it failovers then the active firewall will send the icmp to the standby palo alto firewall and it will be discarded and the path monitoring failover will work.
You only need to make certain that there are no other network paths that you have noshow in the provided picture for the palo Alto firewall icmp probes.
If the palo Alto path monitoring is to a floating/VRRP etc. IP address on the fortigate (or the ip address on something else after the fortigate) and you make so that this ip is only reachable by the path monitoring using routing and security only when the fortigate next to the palo alto is active. In other words the path monitoring icmp probes should only work on left active palo alto firewall, when the fortigate on the left is also active.
This is not a specific Palo Alto question as it depends if you have set up the path monitoring IP correctly and the routing and security but that is the idea of path monitoring to switch between firewalls being active or passive:
Thank for your message.
In case the path monitoring is configured with the PA IP of the port which is connected to FG as source and 220.127.116.11 as destination , when FG become slave the PA connected port to FG will not be able to reach the 18.104.22.168 and then the PA become slave .
Can that be done with Path monitoring ? if yes please suggest
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!