PA HA with Port-Channel towards inside/trust connection

Reply
Highlighted
L1 Bithead

PA HA with Port-Channel towards inside/trust connection

Hi,


We need to add secondary PA-220 to existing (production) standalone PA-220 and make it has Active/Standby. Trust interface on PA will be trunk with two sub-interfaces. Both the PA trust interfaces are going to connect downstream Core switch. Core switch is stack and we are thinking to configure port-channel and it both PA1 and PA2 trust interface to the same port-channel. Just want to make sure if there's any issue with this setup and appreciate if someone can advise if this will be good design or has any issues or unsupported.

 

Below  is the setup that described above.

 

PA-HA.png

 

 


Accepted Solutions
Highlighted
L6 Presenter

@Pemasirid ,

 

Yes, you will have same IP configured on both HA palo Alto inside interface which will act as default route on the core switch. Now during failover event with the help of Gratuitous Arp, it will tell switch to forward traffic on active firewall interface which will have same IP i.e. your inside interface IP.

 

Hope it helps!



Mayur S.

View solution in original post


All Replies
Highlighted
L6 Presenter

Hi@Pemasirid ,

 

In your case, you can't do port-channel on the core switch for the interfaces coming from the two different palo altos. Aggregation works in only case when the interfaces are coming from the same Palo Alto gateway and on palo also side also, the interface are part of Aggregation.

 

So in your case, you can terminate Trust interfaces coming from both the Palo Alto Firewalls as a individual interface on the core and make it as a trunk. It will work as expected. During HA failover with the help of GARP, it will tell switch to send/forward packets on the port of active firewall.

 

And same applies to the other interfaces like, untrust interface going towards ISP via L2 switch and DMZ etc.

 

Rest configuration seems to be good.

 

Hope it helps!



Mayur S.
Highlighted
L1 Bithead

Hi SutareMayur,

 

Thank you so much for your reply.

 

In that case my default route should always point to primary PA inside (10.1.15.2) and what about once the primary(active) PA failed.?, does is still taking the active PA ip address (10.1.15.2).? 

Appreciate if you can shed some light on that.


Regards,

Highlighted
L6 Presenter

@Pemasirid ,

 

Yes, you will have same IP configured on both HA palo Alto inside interface which will act as default route on the core switch. Now during failover event with the help of Gratuitous Arp, it will tell switch to forward traffic on active firewall interface which will have same IP i.e. your inside interface IP.

 

Hope it helps!



Mayur S.

View solution in original post

Highlighted
L1 Bithead

Thank you  @SutareMayur 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!