03-07-2023 12:39 PM
Can you setup/configure 2 PA-440's inter-connected with one being a failover for redundancy in case the other bricks? Or only Dual ISP redundancy using Static Routes Path Monitoring feature, for Traffic failover?
Is it even possible to setup 2 PA-440's configured identically with one a hot(plugged in) failover? Forgive my terminology.
03-08-2023 06:16 AM - edited 03-08-2023 06:17 AM
Yes you can set up 2x PA-440 in HA.
If you configure management interface to be used as HA1 then you need to configure one of dataplane interfaces to be HA2 to syncronize sessions over. Without HA2 all sessions need to be re-initiated when firewalls fail over.
If you have more dataplane ports available you can have HA1 backup.
HA1 backup eliminates split brain situation.
If you happen to disconnect mgmt interface on one of firewalls and they don't see each other any more over HA1 link then both become active at the same time and this is bad 🙂
HA1 backup helps in this scenario.
HA2 backup gives backup link for session sync but this is most likely overkill in small setup.
03-07-2023 01:54 PM
I think I have found my own answer, I am posting it here. Could someone verify this will work on Two identical PA-440's?
03-07-2023 03:32 PM - edited 03-07-2023 03:35 PM
Hi @Cookiemonster46 ,
Yes, the PA-440 supports HA. Active/passive is recommended. The best practice is to use 4 cables between the two: HA1, HA1-Backup, HA2, HA2-Backup. You can change regular Ethernet ports to HA ports.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGNCA0
Thanks,
Tom
PS Order the rack tray PAN-PA-400-RACKTRAY to make it easier to rack. You could also order the 2nd power supply PAN-PWR-50W-AC, but with HA it's not necessary.
03-08-2023 06:16 AM - edited 03-08-2023 06:17 AM
Yes you can set up 2x PA-440 in HA.
If you configure management interface to be used as HA1 then you need to configure one of dataplane interfaces to be HA2 to syncronize sessions over. Without HA2 all sessions need to be re-initiated when firewalls fail over.
If you have more dataplane ports available you can have HA1 backup.
HA1 backup eliminates split brain situation.
If you happen to disconnect mgmt interface on one of firewalls and they don't see each other any more over HA1 link then both become active at the same time and this is bad 🙂
HA1 backup helps in this scenario.
HA2 backup gives backup link for session sync but this is most likely overkill in small setup.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
