@ASU-NetworkTeam wrote: Yes we stop doing the active / active due to budget. PA has some really outrageous pricing for active / active. It basically doubles the bill and not worth it in my opinion. You would be better off upgrading to a more powerful unit and doing active standby for budget reasons from what I have seen. We have Active Standby and use LACP to a cisco 4500X routers. It works great and you also have the option to have the standby unit in no shut to keep routing protocol active if needed for faster fail over. Unless you have a need for the active / active because of usage, you are fine changing to active / passive. You know your network better than anyone so don’t just take my word, but it is worth researching it. We have also found that the newer units are much more powerful than our older 5020 and the renewals are much LESS but the upfront purchase cost is ridiculous. I guess PA going to make $$$ somehow. You would think for the amount of money we pay we could at least get USA support 100%. I get so sick of calling and spending an hour or more getting passed the language barrier and then the technical explanation, or someone in India who really does not care and trying to just get the ticket closed. So I test everything this morning XBOX and ps4. Xbox reports OPEN and ps4 is type 2 and working. The students are happy so far. Also issues with facetime quality and other things are gone. Using NAT pool apparently is a bad idea in palo alto world. So yes down to two options. Route public WAN addresses to the clients or NAT each subnet to a different WAN address to avoid oversubscription. I will post screenshots here in a few of what we did @ASU-NetworkTeam I'd be interested to find out if you're still running this solution the same way a year later. I've recently joined a team, and the current solution has been to set up a 1-to-1 private to public NAT per previous recommendations from Palo Alto on the topic. However, I don't see this as a long term solution as our userbase grows, and this is the first I've seen of a potential alternative solution. Additionally, similar issues present themselves with students who are PC gaming, and mapping them this way is not ideal at best. If NAT to a single IP for this special use case could resolve the issue, I'd see that as a usable approach. Also, Are you still blocking all inbound with good results? Everywhere else I've seen says to open certain ranges of inbound ports but I've been dubious of how necessary it is. Thanks for sharing this info! Really hope to find out some more about it.
... View more