Issue in HA link monitoring

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
Joshan_Lakhani
L4 Transporter

Issue in HA link monitoring

Hi, 

 

ISP Primary>>Fortigate Active >> Paloalt Active

ISP Standby >>Fortigate Passive >> Paloalto Passive

 

we have  ISP  is connected with  FortiGate Active  Firewall and FortiGate which is directly connected with Paloalto  Active Firewall same as ISP standby is connected with  Fortigate Passive Firewall which directly connected with  Paloalto  Passive firewall.

As we have configured the link monitoring between Paloalto and fortigate. For any reason, if FortiGate is not working then it’s shifts their traffic from FortiGate active to FortiGate passive firewall and also shifts their traffic  Paloalto active firewall to Paloalto passive firewall.

 

Now our  query is that if we  make forcefully do the FortiGate active to the passive firewall. Will the Paloalto firewall changes their state from active to passive or not.

 

Joshan_Lakhani_1-1617727170024.png

 

 


Accepted Solutions
NikolayDimitrov
L4 Transporter

It sounds good if the passive fortigate blocks the traffic to (8.8.8.8) as I am not fortigate expert but be carefull even when the connected fortigate to palo alto becomes passive if there is dunamic routing and so on it is possible the icmp health monitor probes to go from Palo Alto firewall to the other fortigate that is active and the palo alto will not failover.

 

 

If the path is as in the picture and for the active palo alto to reach 8.8.8.8 when the fortigate that is on top of it failovers then the active firewall will send the icmp to the standby palo alto firewall and it will be discarded and the path monitoring failover will work.

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcACAS

 

 

You only need to make certain that there are no other network paths that you have noshow in the provided picture for the palo Alto firewall icmp probes.

View solution in original post


All Replies
NikolayDimitrov
L4 Transporter

If the palo Alto path monitoring is to a floating/VRRP etc. IP address on the fortigate (or the ip address on something else after the fortigate) and you make so that this ip is only reachable by the path monitoring using routing and security only when the fortigate next to the palo alto is active. In other words the path monitoring icmp probes should only work on left active palo alto firewall, when the fortigate on the left is also active.

Joshan_Lakhani
L4 Transporter

@NikolayDimitrov 

 

My question is that if i forcefully change the state fortigate active firewall to passive firewall.Did paloalto will change there status automatically from active to passive or not.

NikolayDimitrov
L4 Transporter

This is not a specific Palo Alto question as it depends if you have set up the path monitoring IP correctly and the routing and security but that is the idea of path monitoring to switch between firewalls being active or passive:

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-high-availabil...

Joshan_Lakhani
L4 Transporter

@NikolayDimitrov 

 

Thank for your message.

 

In case the path monitoring is configured  with the PA IP of the  port which is  connected to FG as source  and 8.8.8.8 as destination , when FG become slave the PA connected port to FG will not be able to reach the 8.8.8.8 and then the PA become slave .

 

Can that be  done with Path monitoring ? if yes please suggest

NikolayDimitrov
L4 Transporter

It sounds good if the passive fortigate blocks the traffic to (8.8.8.8) as I am not fortigate expert but be carefull even when the connected fortigate to palo alto becomes passive if there is dunamic routing and so on it is possible the icmp health monitor probes to go from Palo Alto firewall to the other fortigate that is active and the palo alto will not failover.

 

 

If the path is as in the picture and for the active palo alto to reach 8.8.8.8 when the fortigate that is on top of it failovers then the active firewall will send the icmp to the standby palo alto firewall and it will be discarded and the path monitoring failover will work.

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcACAS

 

 

You only need to make certain that there are no other network paths that you have noshow in the provided picture for the palo Alto firewall icmp probes.

View solution in original post

OtakarKlier
Cyber Elite

Hello,

Just curious as to why you have two firewalls in line like this? I know it was a practice back in the day. However with a properly licensed and configured Palo Alto, you dont need this.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!