About a.jones

Hi All,   How can I instigate a firewall failover for an Active-Active firewall if BGP fails? I feel I need a full failover but please tell me if I am wrong.   Here is the situation: Firewall in Active-Active mode, HA1,2 and 3 up. BGP peering on outside and inside interface. 1 BGP peer on outside to local cpe. Inside peers to local cpe and remote datacentre cpe for resilience. When the BGP fails on the outside path, the inside peering is still up - traffic fails over to the Active-Secondary I thought the the traffic would route through the HA3 link but the traffic path just fails - failed ping that is - I think it's going through Active-Secondary with route back through Active-Primary with no outside network established - does that make sense?   How could we mitigate against this failure? Having dual peering on the outside is not an option. If the interface fails it is configured to failover but this scenario is that the bgp drops and the interface stays up.   Regards   Adrian ... View more

Hi All,   I suspect the answer to this is in the Advanced Routing in PanOS 10.   We have configured a new system as Active-Active and BGP. The firewalls are in different DCs, the DMZ side of the firewall can talk to routers in both DCs but only its local router on the WAN side. If one DC goes down, the other firewall with a less favourable route from said DC would route for the named subnets. The requirement is to advertise the AS Number from the system on the DMZ to the WAN network so that the WAN router has both firewall and DMZ AS-Numbers for the return path and vice versa in the DMZ - this is so path selection can be performed within the DMZ BGP and WAN environment rather than on the firewall. Currently, the Palo Alto substitutes the AS-Number with its own AS so to make a path less favourable we need to perform AS-Prepending on certain paths.   Is there a way to achieve this on PanOS 9.1.14-h4 or is this an Advanced Routing requirement.   Regards   Adrian ... View more

Hi All,   I have a query for Clientless VPN. I have a working solution which is suitable for a normal user. Unfortunately I seem to have abnormal users (don't we all really) who are complaining that there are too many log ons. They have to log on to Clientless VPN and then log on the the RD Web session that is offered to them. Is there a way we could push their Clientless VPN authentication through to the RD Web session? I think the answer is no tbh.   My only other solution is to remove the authentication for the Clientless VPN and lock access to known source addresses except if an address is spoofed it is open to them, albeit if a user account is compromised it's open now....assessment of two evils.   Regards   Adrian ... View more