We have a less critical PA firewall system connected to an HSRP pair on the internal interface and an HSRP pair on the external interface.
What is the best way to configure these systems to ensure the most availability of the routes so traffic can continue to flow through the Palo Alto if one of the HSRPs fail over?
My thought is to use a second virtual router, can the virtual routers support a type of high availability, so that if traffic stops being sent on one it would be sent to the other?
To my knowledge two routers in a HSRP config share a virtual IP and MAC address. So if the primary Router should fail the remaining router is taking over that virtual IP and MAC. This way there is no need to setup anything special on the Palo Alto Firewall as long as one Router in the HSRP config is up and running.
The problem here is that you need additional switches between your routers and your PANs for that to work out of the blue - specially for the case when the passive unit in HSRP is completely offline.
When HSRP is enabled and both HSRP units works the passive unit will act as a L2-device and just forward the traffic to the current active unit who is the L3-device (if you also setup the vlans on the link between R1 and R2). So far so good... Your PAN2(active) will reach R1(active) through R2(passive) if you have connected them as PAN1 <-> R1, PAN2 <-> R2. However if R2 gets a hardware malfunction so its completely offline (and your PAN1 for some reason also failed) you will have a setup where PAN2(active) cannot reach R1(active).
If im not mistaken you can setup the interfaces of your PAN so PAN1 have one cable to R1 and one to R2 but its the same network (PAN1 have just one ip who the R(1and2) will route to for networks behind the PAN).
Unless there is some other method for this I think you can do this by setting the PAN interface into L2 mode and then in PAN setup a shared gateway which you bind to the two L2 interfaces. The shared gateway will be the ip which the routers will route to (and the same for the PAN itself, the shared gateway will then route to the ip of R and HSRP will take care of which of R1 and R2 will announce the ip).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!