Newbie question on polices

Alex_Samad · ‎05-08-2017

Hi

Got to test pa-3060's got them setup in HA active active mode.

I have a LACP trunk setup with 2 vlans of it.

vlan 213 - zone trusted

vlan 215 - zone dev

i have ospf and ip addresses assigned and working on the 213 side of things. so I can ping it from the rest of my network.

vlan213 gets DGW from OSPF.

I have .2 and a .3 address assigned to pa1 and pa2 on vlan215 interface and a virtual - failover ip address setup on vlan215

I have a policy that allow ping from a list of ip addresses - basically my internal network addresses to any where and from / to any zone.

and I have the 2 default policies.

from boxes that I can ping vlan213. I can't ping to any of the vlan215 addresses .1 or .2 or .3

if I change the zone of vlan215 to the same zone as 213 then it works ???

What have I done wrong with my policy

reaper · ‎05-10-2017

yes (make sure HA3 is either directly connected or the transport medium supports jumbo frames)

if the syn packet is passed over PA1 and the ack packet is received by PA2, PA2 will send the ack to PA1 for inspection, PA1 will build the session and perform any other actions (nat, content inspection, AppID, ....) and then pass the packet back to PA2 which will put it on the network (asymmetry is maintained)

session owner and session setup device depend on your active-active configuration: (it may _always_ be PA1, or use a modulo, or be the device that sees the first packet)

if one member dies, all session responsabilities will go to the remaining member. a state table containing _all_ sessions (pa1 +pa2) is constantly maintained by both, only the 'processing' responsabilities are shifted depending on how you configure the above section

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

View solution in original post

reaper · ‎05-11-2017

VR sync is to sync the runtime state between the VRs.

Depending on your environment it may be useful to sync (if both peers need the same next hops etc.), or if your members both participate in ospf/bgp as unique members, you'll not want to sync

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

View solution in original post

Alex_Samad · ‎05-09-2017

Hi

I have left it to settle for a while now and the .2 and .3 are pingable !!!

but .1 with is the active / active virtual ip it keep failing ... its setup as a arp load balance,

BPry · ‎05-09-2017

@Alex_Samad,

Just out of curiosity was it a recommended design to go with active/active on your particular setup?

reaper · ‎05-09-2017

Hi and welcome to Palo Alto Networks!

now go ahead and set your cluster to active-passive 😉

The active-active configuration is really only useful if you have a network with asymetric routing, in most other scenario's it will only increase complexity and have little to no advantages (there is no performance gain, more likely a slight decrease due to HA3)

I'd recommend you start off with an active-passive HA so you have fewer distractions and a far less complex configuration to worry about while you test all the other features, especially since, as you mentioned, you're new to the firewall: configuring Active-Active is about as tough as it gets

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

Alex_Samad · ‎05-09-2017

Hi

So I have 2 datacentres and I run a stretch vlan setup, I will have 1 PA in one DC and another in the other DC.

So performance issues - please explain, I am looking at using the dual arp setup for VIP.

I have all my current services - WAN / Vendors etc duplicated at each site... and I do get asym routing 🙂

Newbie question on polices

Newbie question on polices

Show your appreciation!