Thanks @rmfalconer that seems to have done the trick. @Astardzhiev advertising a public NAT range is exactly what I'm trying to do and many thanks for the explanation as to why it needs to be done this way for such cases.
... View more
Hi all, i'm not having much joy getting this working. I have created a static route for a subnet which I am trying to advertise to an eBGP peer. I then created a redistribution profile with only static enabled I then added that profile under bgp Redist Rules. The BGP peering is definitely established and I am able to redistribute a Connected route no problem. I tried it with and without export rules and that made no difference. I tried all the steps in this page https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNt2CAG I've been beating away at it all day and have ran out of ideas. Any thoughts on what I might be missing?
... View more
Hi all, This is my first post on this forum. I am also a brand new Palo Alto customer and we just purchased a pair of 3220 firewalls. As the subject says my question revolves around HA as I would like to start putting together a plan for design and deployment. My question is probably really stupid but I just want a bit of clarification on how an active/passive deployment works, as opposed to active/active. After reading around i can see that active/passive is the favoured option, even by Palo Alto. Having read this documentation: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-1/pan-os-admin/pan-os-admin.pdf where it says: Active/Passive— One firewall actively manages traffic while the other is synchronized and ready to transition to the active state, should a failure occur I'm a little unsure what this means, does that mean that no traffic will pass through the passive firewall? Or, will both firewalls process traffic but only the active firewall "manages" the traffic with policies? To add a little context, we have 2 connections out to the internet each of which is being protected by it's own firewall. Both connections are to the same ISP. In our current setup the two firewalls are managed independently and have their own policies. Where i want to be however when we replace our existing firewalls with our new Palo Alto's is to cluster the two devices, i.e. the same policies replicated across both firewalls. But obviously i don't want to end up in a situation where we have an internet connection with zero traffic utilization where the passive device will be, and it only gets utilized when the primary active firewall fails. The connection between the two firewalls internally are all L3. I was informed by our PA partner SE that in order to achieve active/passive I will need to convert our L3 internal WAN links to L2. I am not too keen on doing that unless i absolutely need to. It was also suggested to look at investing in Panorama to overcome the issue of managing and replicating both firewalls centrally - but according Palo Alto this product only becomes useful for managing 6 appliances or more, so not sure if this solution might be a little overkill for us. From what i've been reading active/active is only beneficial for when you have asymmetric routing, which we don't have. If anyone can advise i would be grateful and sorry again for my questions... Palo Alto is new to me and this would also be my first time configuring HA for firewalls. thanks
... View more