PA Active / Active without Virtual IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA Active / Active without Virtual IP

L3 Networker

Hi All,

 

In PA active / active configuration, what will happen if there is no virtual address is configured. 

 

I am seeing there are two ISP configured in each one in each firewall. Is it right way to configure it. 

Edsnow

Please help out other users and “Accept as Solution” if a post helps solve your problem !
1 accepted solution

Accepted Solutions

L4 Transporter

hi @Edsnow 

So depends of use cases

You will use the following guide with the use cases

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/set-up-activeactive-ha/d...

 

PCSPI, PCNSCx3,PCNSEx4,, PCSAE,PCDRA, ISC2 CC

View solution in original post

3 REPLIES 3

L4 Transporter

hi @Edsnow 

So depends of use cases

You will use the following guide with the use cases

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/set-up-activeactive-ha/d...

 

PCSPI, PCNSCx3,PCNSEx4,, PCSAE,PCDRA, ISC2 CC

Hi Alenjandro,

 

Thanks for the reply,

 

In this case if,I choose to Active/active with route-based redundancy, Where the routing decision will be made. In router or Firewall. 

Edsnow

Please help out other users and “Accept as Solution” if a post helps solve your problem !

L4 Transporter

hi @Edsnow 

For route-based redundancy:

In a Layer 3 interface deployment and active/active HA configuration, the firewalls are connected to routers, not switches. The firewalls use dynamic routing protocols to determine the best path (asymmetric route) and to load share between the HA pair. In such a scenario, no floating IP addresses are necessary. If a link, monitored path, or firewall fails, or if Bidirectional Forwarding Detection (BFD) detects a link failure, the routing protocol (RIP, OSPF, or BGP) handles the rerouting of traffic to the functioning firewall. You configure each firewall interface with a unique IP address. The IP addresses remain local to the firewall where they are configured; they do not move between devices when a firewall fail

PCSPI, PCNSCx3,PCNSEx4,, PCSAE,PCDRA, ISC2 CC
  • 1 accepted solution
  • 875 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!