- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-24-2025 05:44 AM - edited 01-24-2025 05:50 AM
Hi All,
I'm from network team not Firewall team. Presently we have ASA FW which we are planning to replace with two Palo's. Presently we have one WAN link going to the FW and one link to LAN router. Now how to connect two Palo's when we have one WAN link
This is what i thought of but in this i have a question that will the FW support Layer 3 port channel and both links will be bundled/active? How the FW will work in this scenario. so which ever FW is active it will forward the traffic to the router. But router will forward traffic to both the Firewalls then the secondary FW will drop the traffic.
My router will bundle the links when it treats the FW in cluster.. Like router is connected to two nexus switches which are in VPC.
Any suggestion pls. You can suggest new design also.
01-24-2025 07:13 AM - edited 01-24-2025 07:15 AM
I would do ISP > switch > 2x Palo
Usually (unless there is a special routing / virtual wire requirements) Palo cluster is set up as active/passive.
By default passive firewall keeps it's ports shut down.
So if you decide to go with ISP > router > 2x Palo setup then router knows where to send traffic because only port towards active Palo is up, other id down.
If you decide to change Palo passive port from "shutdown" mode to "auto" mode it means passive also keeps port up but does not reply to any arp requests on that port (helps to speed up failover as all the spanning tree and lacp negotiations are already done).
In your case do Palos participate in BGP or just bypass it between routers?
01-26-2025 04:44 PM
Thanks Rapido for your response. So we can you either switch or router for upstream right? Right now downstream router form BGP with site router as present ASA dont support . So present FW just pass the BGP and in bypass mode.
Actually we have 4 setups like this. They have independent FW. Now we are planning to have two Palos with 4 VS. But will have 4 seperate routers at downstream. One switch on top which have all 4 WAN links in different vlans.
Any suggestions please
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!