About BayAlarmCompany

I am setting up some new OSPF adjacencies between my PA and a pair of Dell switches. Should I be using BFD? Will BFD make things better or worse?   What I currently do is set LACP in HA passive state. OSPF graceful failover is configured on my switches and on firewall (which is default). I am using default grace period of 120 seconds. My OSPF hello timers are set to 1 second, and dead time to 10 seconds. I have found that if my dead timer is at 5 seconds or so, that OSPF would completely drop from my switch, which is certainly not desirable. In this configuration, a planned failover usually results in 1 dropped ping.   In this environment, is BFD useful? I haven't found information relating BFD and PA active/passive deployments. My concern is that a failover will cause BFD to go down, which will then cause OSPF to drop and there goes my graceful restart. 😞 I don't know, maybe if I used longer BFD timers I can make it work. Anyone know what BFD timers would survice a graceful failover?   In this setup, my PA has an adjacency with each redundant switch. It would be nice to detect the switch being down with BFD before my OSPF dead timer expires. I can't do interface down detection because of of the use of AE interface going to both switches. Maybe it is possible to only have OSPF on the PAN to subscribe to BFD? That way PAN can quickly withdraw routes to a dead switch before OSPF timers expire, but a PAN failover won't cause issues for the switches.   Thank you! ... View more

Is there a good way to pre-stage changes using Panorama? Sometimes I have needs to make a rather complex set of changes in various areas, but I don't want to commit them to the firewall for days or even weeks. Is there a good way to handle this? I know that in version 8.0.x of Panorama, that I can commit all changes or just my changes. I can imagine putting in my pre-staged changes under one account, and then doing day to day changes under another account. That would allow my to somewhat segregate my changes so that things didn't get committed to the firewall until I am ready. This seems far from ideal, and not a very good oeprational practice. I have also needed to do this when I was working on changes and a high priority change needed to be made. I had another admin make the high priority change so that my other changes didn't get committed before I was ready. Is there a better way?   Right now I am considering making my safe changes now, and then schedule working on my more drastic changes to just before I need to put them into place. ... View more