12-13-2022 07:11 AM
Hello,
I am used to configuring clusters on PanOs 8.x and 9.x.
I am now configuring a new infrastructure based on PanOs 10.1.8.
I have seen new options in "High Availability".
1) Under "General" tab what is "Clustering settings" for?
2) what is "Cluster Config" for?
Thanks
12-13-2022 07:29 AM
To expand on this a bit, what you're used to seeing is just a traditional HA setup. In that regard, you're likely used to seeing Active/Passive and Active/Active from a configuration standpoint. This provides the basis of redundancy to avoid a firewall failure from bringing down your entire environment.
With HA Clustering, that process is expanded by quite a bit. This sees the addition of HA4 and HA4-backup interfaces to actually control the clusters, because HA1-3 are already in use if you have an HA pair configured as cluster members. The clustered firewalls all share session state in the event of a failover, but the session owner is the one actually processing and logging the traffic.
The benefit here is that in a distributed environment, you could lose the primary HA pair and traffic would simply failover to another pair in the cluster. You get additional redundancy across your network that maintains session survivability instead of updating routes due to the loss of the pair.
12-13-2022 07:16 AM
Hi Charlie
This link will help
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-clustering-overview
12-13-2022 07:29 AM
To expand on this a bit, what you're used to seeing is just a traditional HA setup. In that regard, you're likely used to seeing Active/Passive and Active/Active from a configuration standpoint. This provides the basis of redundancy to avoid a firewall failure from bringing down your entire environment.
With HA Clustering, that process is expanded by quite a bit. This sees the addition of HA4 and HA4-backup interfaces to actually control the clusters, because HA1-3 are already in use if you have an HA pair configured as cluster members. The clustered firewalls all share session state in the event of a failover, but the session owner is the one actually processing and logging the traffic.
The benefit here is that in a distributed environment, you could lose the primary HA pair and traffic would simply failover to another pair in the cluster. You get additional redundancy across your network that maintains session survivability instead of updating routes due to the loss of the pair.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
