Hello @PearsonSamuel , good afternoon.
I understand you have your two PA-3220. So first you must have as a prerequisite to set up your HA all the connections mirrored, that is, if you want everything to operate correctly when a fail-over condition occurs and the secondary equipment to assume the role of active must be all properly connected in both the main and secondary (Physical / Logical).
First, connection or connections HA1/HA2, for connectivity at HA level. Then if we think of a simple environment, a network/Zone trust, which is facing your LAN(s) and another towards the WAN or Untrust, it should also be mirrored.
Then consider a basic L2 switch, and connect a cable from the WAN of the active Firewall-PA to the basic L2 switch and connect the Passive to that same switch, then connect the switch against your ISP link.
The active assumes connectivity and maintains session synchronization with the secondary via the HA2 connection. If fail-over occurs the passive firewall assumes the role of the active and connectivity in its entirety.
For services such as administration, consider that each firewall has or will have its own access through the MGT, the interface for management and administration, and for the connection to the Internet for update downloads, signatures, license refresh, among others.
Similar to the LAN, in terms of logical/physical connectivity.
Important: Remember that the Active Firewall synchronizes all its network values to the Passive Firewall. So you do not need to configure exactly particular values on the secondary, it synchronizes from the active to the passive.
Regards
... View more
