wan interface configuration for HA active/passive

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

wan interface configuration for HA active/passive

L2 Linker

We are about to replace a single 2050 with an HA pair of 3050's.   Having some trouble figuring out how to get the switch and Pa configured so I can share the single ISP connection with both firewalls.

 

Current setup has interface 1/3 as L3 with the WAN ip address

 

I was trying to minimize the changes to make (because 2050 is insanely slow to commit) so attempted using a new vlan 111 on our core switch, set it up on two ports in access mode (untag all) and tried moving the ISP router and the palo alto wan interface into the switch on those two ports.

 

Am I going to need to change the wan interface on the palo alto to have a tagged sub interface on vlan 111 and move the wan IP addresses to it?   Hopefully I'm just missing something simple.

 

thanks,

 

 

1 accepted solution

Accepted Solutions

L5 Sessionator

You have to move ISP link to switch. On switch there should be three ports and these three ports should be part of same VLAN, access ports. One port for ISP, One for active firewall and one for passive firewall that's it.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

You should create subinterfaces on palo only if it connects to switch trunk port.

If switch port is access then you don't use subinterfaces.

If you set up HA then interface mac addresses will change and Palo will send graditious arp out only to notify interface ip change but not for DNAT ip addresses so you should be ready to clear switch arp cache.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L5 Sessionator

You have to move ISP link to switch. On switch there should be three ports and these three ports should be part of same VLAN, access ports. One port for ISP, One for active firewall and one for passive firewall that's it.

Pankaj,

 

That's what I thought, but I tried moving the existing firewall to that setup, moved isp, and PA to switch on same vlan with access ports, and they wouldn't talk.  Only had a brief downtime window last weekend to test so wasn't able to do much troubleshooting.  This next weekend is the planned implementation for new pair so I'll try again, and have time to clear arp and track down any issues.

 

 

Thanks for the help everyone.

  • 1 accepted solution
  • 4240 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!