About LibinC

More more information to add for below "So we think to make  internet interfaces as well with a floating ip - bind to primary-node  " and use NAT outgoing duplicate NAT rules bind to both devices using same floating ip. So we assume any outgoing internet traffic uses floating ip only to NAT out always in the Active-primary at any point of given time. but again will there be any issue for incoming nat traffics (many nat rules for different hosted applications) for hosted application since those are duplicated as well to bind to both device ids, but those are just virtual NAT ips only in the /26 pool and not configured for any floating ips or interface ips in the firewalls.   thanks agian. Libin ... View more

Helo Jermey, All,  i was reading this forum as i was in some sort of same issue - we do have A-A Palo cluster as both firewalls sits in 2 different DCs and both having separate ISPs connected for internet. Also the NAT was all configured accordingly as well each device id bind to  its respective configured ISP  internet interface ip for traffic out. Also all our Firewall internal interfaces configured as HA floating ip and all our internal networks use respective floating ips of firewall as its gateway address. But course of time one ISP broken and stop using for a while, say 3- 4 years now. lol i know its been a long time to fix an isp issue but this is the history.  since then node -2 where the broken isp connected was suspended. Now its immense pressure from top to put the node back to cluster as active for Full redundancy which is very reasonable request. So we connected the suspend node internet interface to the other live isp serving other node as well. Set up is like ISP connecting to layer-2 switch one one DC where we have a dedicated vlan and the internet interfaces of both firewalls are in same VLAN (we run a spanned VLAN between DCs, so it was an easy task for us to extend internet connection of firewall  to other DC ISP by extending the dedicated VLAN). the firewalls internet interface have different public ips on same pool and no floating ip configured for them. Also we set up duplicate nat rules for incoming (we have many for different hosted applications using dedicated public ips in the /26 pool) and outgoing (only using interface ip of node-1 in both duplicate NAT rules) to bind to both device IDs. Once the secondary firewall back active everything works fine but after some weeks we noticed many of the hosted application performances affected and then we found "arp duplication error" on internet interface of firewalls and we immediately suspend node-2 again. This resolved the arp duplication issue immediately.  But now we need to bring back node-2 to active-secondary again ASAP with a workable solution for internet traffic. So we think to make internet interfaces as well with a floating ip - bind to primary-node [please note all our LAN side interfaces already having floating ip with HA devices ID priority configured, not bind to primary node]. Will this solution going to work with out any issue? what so you think . i have spoken to couple of  palo alto support engineers but they cant answer it correctly. Please help at the earliest.  many thanks guys for reading this ! Libin ... View more