This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

wan interface configuration for HA active/passive

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

wan interface configuration for HA active/passive

Go to solution
travisj
L2 Linker

‎06-04-2016 10:08 AM

We are about to replace a single 2050 with an HA pair of 3050's.   Having some trouble figuring out how to get the switch and Pa configured so I can share the single ISP connection with both firewalls.

 

Current setup has interface 1/3 as L3 with the WAN ip address

 

I was trying to minimize the changes to make (because 2050 is insanely slow to commit) so attempted using a new vlan 111 on our core switch, set it up on two ports in access mode (untag all) and tried moving the ISP router and the palo alto wan interface into the switch on those two ports.

 

Am I going to need to change the wan interface on the palo alto to have a tagged sub interface on vlan 111 and move the wan IP addresses to it?   Hopefully I'm just missing something simple.

 

thanks,

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
pankaku
L5 Sessionator

‎06-05-2016 06:39 AM

You have to move ISP link to switch. On switch there should be three ports and these three ports should be part of same VLAN, access ports. One port for ISP, One for active firewall and one for passive firewall that's it.

View solution in original post

3 REPLIES 3

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎06-04-2016 12:34 PM

You should create subinterfaces on palo only if it connects to switch trunk port.

If switch port is access then you don't use subinterfaces.

If you set up HA then interface mac addresses will change and Palo will send graditious arp out only to notify interface ip change but not for DNAT ip addresses so you should be ready to clear switch arp cache.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
pankaku
L5 Sessionator

‎06-05-2016 06:39 AM

You have to move ISP link to switch. On switch there should be three ports and these three ports should be part of same VLAN, access ports. One port for ISP, One for active firewall and one for passive firewall that's it.

Go to solution
travisj
L2 Linker
In response to pankaku

‎06-06-2016 06:05 AM

Pankaj,

 

That's what I thought, but I tried moving the existing firewall to that setup, moved isp, and PA to switch on same vlan with access ports, and they wouldn't talk.  Only had a brief downtime window last weekend to test so wasn't able to do much troubleshooting.  This next weekend is the planned implementation for new pair so I'll try again, and have time to clear arp and track down any issues.

 

 

Thanks for the help everyone.

0 Likes Likes
  • 1 accepted solution
  • 5095 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks