Hi @nikoolayy1 ,
To be honest I didn't fully understand F5 documentation in the github link. I am curios how exactly you have managed to deploy active/passive F5? If you configure two VIPs (same IP) on the two F5 VE, how the failover is performed?
In my humble opinion since you are limited by the cloud the options are as follow:
- Anything related to GARP, ARP or virtual MACs is out of the question .There is no way to have same IP on two VE/NVA (network virtual appliance) and reply on ARP or GARP to point the traffic to the second unit during failover. Which leave you with:
- API calls to Azure and move the IP from one VM to another
- Azure Load Balancer with the two FWs as LB pool.
If you check some of the docs for "Cloud NGFW for Azure" it is actually using LB under the hood.
Some other vendors support session sync for standalone units, which is absolutely perfect when you use Azure LB for FW HA. Sadly PAN are still getting there. It looks like HA Clustering is step in that direction - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-clustering-overview but currently it is not supported for public cloud.
I haven't really checked, but I wouldn't be surprised if Cloud NGFW for Azure wouldn't currently support GlobalProtect. But as I mentioned it is using LB sandwitch under the hood so it may be supported.
Regarding GlobalProtect HA in Azure - since I cannot imagine any other way to have HA active/passive in Azure (excluding the API calls), I still believe the best option is to
- run two standalone FWs
- with public IP assigned directly to VM
- Using DNS LB like traffic manager and perform health checks to direct user to primary FW and in case of issues DNS to resolve to secondary member.
- Not using Azure LB will allow you to use IPsec for GP, With LB you will must use SSL
One intersting issue I faced (well with AWS NLB, but it should be probably the same with Azure) - if you use LB for VPN, you may have issues with SAML
... View more
