Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-11-2020 07:18 PM
Hi,
We need to add secondary PA-220 to existing (production) standalone PA-220 and make it has Active/Standby. Trust interface on PA will be trunk with two sub-interfaces. Both the PA trust interfaces are going to connect downstream Core switch. Core switch is stack and we are thinking to configure port-channel and it both PA1 and PA2 trust interface to the same port-channel. Just want to make sure if there's any issue with this setup and appreciate if someone can advise if this will be good design or has any issues or unsupported.
Below is the setup that described above.
11-12-2020 08:01 AM
Yes, you will have same IP configured on both HA palo Alto inside interface which will act as default route on the core switch. Now during failover event with the help of Gratuitous Arp, it will tell switch to forward traffic on active firewall interface which will have same IP i.e. your inside interface IP.
Hope it helps!
11-11-2020 10:03 PM
Hi@Pemasirid ,
In your case, you can't do port-channel on the core switch for the interfaces coming from the two different palo altos. Aggregation works in only case when the interfaces are coming from the same Palo Alto gateway and on palo also side also, the interface are part of Aggregation.
So in your case, you can terminate Trust interfaces coming from both the Palo Alto Firewalls as a individual interface on the core and make it as a trunk. It will work as expected. During HA failover with the help of GARP, it will tell switch to send/forward packets on the port of active firewall.
And same applies to the other interfaces like, untrust interface going towards ISP via L2 switch and DMZ etc.
Rest configuration seems to be good.
Hope it helps!
11-12-2020 06:46 AM
Hi SutareMayur,
Thank you so much for your reply.
In that case my default route should always point to primary PA inside (10.1.15.2) and what about once the primary(active) PA failed.?, does is still taking the active PA ip address (10.1.15.2).?
Appreciate if you can shed some light on that.
Regards,
11-12-2020 08:01 AM
Yes, you will have same IP configured on both HA palo Alto inside interface which will act as default route on the core switch. Now during failover event with the help of Gratuitous Arp, it will tell switch to forward traffic on active firewall interface which will have same IP i.e. your inside interface IP.
Hope it helps!
11-12-2020 08:07 AM
Thank you @SutareMayur
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
