I came across this design guide and looking at labbing this up for testing, as the design could be a good fit for our production environment, with a few tweaks. In my case, I'll be using OSPF between the firewalls and internal routers A and B. The connections to the edge routers A and B will be the provider routers, so they will be outside facing and I won't be running OSPF between them.
I have a few question about the floating static routes mentioned:
1. are these floating static routes configured on internal router A and edge router A?
2. are these floating static routes also configured on the Palo Alto as static routes? As the screen shots show them being on the Palo Alto.
Just to get my upstream and downstream routers right:
1. Is the upstream router edge router A?
2. Is the downstream router Internal router A?
Anyone used this design on their production network? Any limitations, advantages/disadvantages with the design?
Your advice and thoughts are appreciated.
There are a lot of design solutions in a setup like this. But to answer your question, the floating static is set on ALL routers in this setup (but different IP on the internal vs the external routers). The reason for the floating static is that the Next Hop IP will transition to the Passive Firewall before OSPF reconverges from a failure event. With a floating static, this means there is a backup route already in the table. So when OSPF goes down temporarily (and it will), this backup route is ready and waiting to be pushed into the FIB for near uninterrupted traffic flows.
I highly recommend reading through the PAN documentation on HA - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/ha-overview.html
Does this make sense?
Thank you for your reply. Why the floating static routes are used, does make sense, in case OSPF does fail, the traffic will still flow.
So I would configure a static route on Edge Routers A and B (the upstream routers), pointing to the Datacentre LAN. And a static route pointing to the Internet/0.0.0.0/0, on Internal Routers A and B (the downstream routers). Is this correct for this scenario?
An Active/Active option is not possible as the Palo's will be 25 miles apart from each other (for DR purposes). The two Palos will be connected via the HA link over 2 x L2 links between two sites. One of these L2 links will be the primary (the active) and the other will be the secondary (the backup link), hence exploring the Active/Passive design option.
Please let me know if I am right about the configs of the static routes, on those routers.
So, I've been labbing this up and have created the floating static routes on all the routers as you mentioned. In steps 12 and 13 of the configuration guide, it says redistribute the floating static routes upstream and downstream. Does this mean I have to create a Redistribution Profile on the Palo Alto and add it to the Export Rules in OSPF?
Many thanks in advance.
The redistribution will have to be done on your routers because this is where the static routes are created. Since you have L2 between the sites, I would REALLY look at either sticking an HA switch stack between the routers and the FW and letting ARP handle all of this for you. Otherwise I would look at Active/Active and Anycast your Default Gateways down. It just appears you are over-complicating an easy solution IMO.
Yes. But, since they are all in the same subnet, you could probably skip the VRRP/HSRP. The IP on the FW will just move and re-ARP. Session state would be maintained. It really depends on how you have your routing set up and if you are able to do the same L2 on the "external" side as well.
Here is another idea you should consider. Rebuild the way you are thinking about your HA/DR/etc plan. break the HA pair and operate each FW independently. Think of them as Routers (because they are) and route ALL traffic between sites through the firewalls. This is of course only if you have enough horsepower to push whatever bandwidth you have available between sites. Any inbound services should be routed through some kind of load balancer (ie - F5/Netscaler/etc). Use DNS to move your inbound services if your primary site goes down or even load balance both ISPs and you could have both sites running even if the interconnects go down. I really don't like the floating static design as there are more dynamic ways of handling this problem. You could also run an HA pair at each site in this design which gives you even more failure protections.
Penny for you thoughts?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!