Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-03-2018 06:52 AM
Hi,
Is it possible to configure two physical Palo Alto 5250 in Active - standby mode while distributing the load for Vsys across both the physical firewalls.
For eg.
I have two physical firewalls - PA1 & PA2
I have 6 vsys in each firewalls - Vsys1, Vsys2, Vsys3, Vsys4, Vsys5, Vsys6
Is it possible to have the below mentioned setup?
PA1
Vsys1 - Active
Vsys2 - Standby
Vsys3 - Active
Vsys4 - Standby
Vsys5 - Active
Vsys6 - Standby
PA2
Vsys1 - Standby
Vsys2 - Active
Vsys3 - Standby
Vsys4 - Active
Vsys5 - Standby
Vsys6 - Active
Is there any reference document to achieve this configuration?
05-03-2018 03:11 PM - edited 05-03-2018 03:15 PM
Hi @MGRashmi,
unfortunately with Active/Passive mode, all virtual systems will be active only on "active" member. The HA is configured on Physical level and not on the virtual level.
If you want to distribute virtual systems on both physical appliances you need to configure the cluster in Active/Active mode and bound floating IP for vsys 1, 3, 5 to Active Primary and for vsys 2, 4, 6 to Active Secondary.
At this link you can found a use case:
Keep in mind usually TAC suggest A/A mode only in case you have asymmetric routing mainly when the firewalls are in Virtual-Wire mode.
Enjoy,
Jacopo
05-07-2018 11:23 PM
Hi Jacopo, Thanks a lot for your detailed and clear explanation. This really helped.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
