Design suggestion

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Design suggestion

L0 Member

Hi All, 

I'm from network team not Firewall team. Presently we have ASA FW which we are planning to replace with two Palo's. Presently we have one WAN link going to the FW and one link to LAN router. Now how to connect two Palo's when we have one WAN link

 

 

anee4285_1-1737725715924.png

 

This is what i thought of but in this i have a question that will the FW support Layer 3 port channel and both links will be bundled/active? How the FW will work in this scenario. so which ever FW is active it will forward the traffic to the router. But router will forward traffic to both the Firewalls then the secondary FW will drop the traffic.

My router will bundle the links when it treats the FW in cluster.. Like router is connected to two nexus switches which are in VPC. 

 

anee4285_2-1737726251355.png

 

Any suggestion pls. You can suggest new design also. 

 

2 REPLIES 2

Cyber Elite
Cyber Elite

I would do ISP > switch > 2x Palo

 

Usually (unless there is a special routing / virtual wire requirements) Palo cluster is set up as active/passive.

By default passive firewall keeps it's ports shut down.

 

So if you decide to go with ISP > router > 2x Palo setup then router knows where to send traffic because only port towards active Palo is up, other id down.

If you decide to change Palo passive port from "shutdown" mode to "auto" mode it means passive also keeps port up but does not reply to any arp requests on that port (helps to speed up failover as all the spanning tree and lacp negotiations are already done).

 

In your case do Palos participate in BGP or just bypass it between routers?

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks Rapido for your response. So we can you either switch or router for upstream right? Right now downstream router form BGP with site router as present ASA dont support . So present FW just pass the BGP and in bypass mode.

 

Actually we have 4 setups like this. They have independent FW. Now we are planning to have two Palos with 4 VS. But will have 4 seperate routers at downstream. One switch on top which have all 4 WAN links in different vlans.

 

Any suggestions please 

  • 234 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!