About M.Alzahaby

 Hello, As you may know, PA HA is per physical boxes only. If you have 2 boxes running virtual systems and you want to have HA, you can't have VSYS1 on box1 active and VSYS2 on box1 standby. Box1 must be active on all VSYS on it or Standby on all VSYS.   There is a work around for this limitation with configuration sync. Lets assume we have 2 PA boxes and we want to have the following:   Box1: device id 0 VSYS1 active VSYS2 standby Box2: device id 1 VSYS1 standby VSYS2 active   We can configure Active/ Active High Availability between the 2 boxes and use Floating IPs with periorities to make FIP1 (10.2.28.1 which is part of VSYS1) active on box1 and FIP2(10.2.29.1 which is part of VSYS2) active on box2 as below.   Network Configuration: e1/1, e1/2 is part of VSYS1 e1/3, e1/4 is part of VSYS2   e1/1 (Inside) will have an IP 10.2.28.2 on box1 and 10.2.28.3 on box2 e1/2 (Outside)  will have an IP 10.2.30.2 on box1 and 10.2.30.3 on box2 e1/3 (Inside) will have an IP 10.2.29.2 on box1 and 10.2.29.3 on box2 e1/4 (Outside)  will have an IP 10.2. 31 .2 on box1 and 10.2. 31 .3 on box2   Virtual Router VR1 (e1/1, e1/2) is part of VSYS1 Virtual Router VR2 (e1/3, e1/4) is part of VSYS2     Virtual Address on e1/1 is 10.2.28.1 with periority 0 on device 0 (Active) and periority 255 on device 1 (Standby) Virtual Address on e1/2 is 10.2.30.1 with periority 0 on device 0 (Active) and periority 255 on device 1 (Standby) Virtual Address on e1/3 is 10.2.29.1 with periority 255 on device 0 (Standby) and periority 0 on device 1 (Active) Virtual Address on e1/4 is 10.2.31.1 with periority 255 on device 0 (Standby) and periority 0 on device 1 (Active)           Assuming that users can't change their gateway manually, Subnet 10.2.28.0/24 is now active on VSYS1 on box1 while subnet 10.2.29.0/24 is now active on VSYS2 on box 2.   We will need to use a router (R1) to route traffic between VSYS1 and VSYS2, if we are going to use static routing, scenario should be like that: 1_Enable VR Sync in HA>Active/ Active Tab (Enabled by default) 2_Add default route on VR1 to route traffic to R1 3_ Add default route on VR2 to route traffic to R1 4_On R1, add 2 static routes for each subnet with different metric routes for subnet 10.2.28.0/24: -route to 10.2.30.1 with metric 10 -route to 10.2.31.1 with metric 20 routes for subnet 10.2.29.0/24: -route to 10.2.31.1 with metric 10 -route to 10.2.30.1 with metric 20   In case we need to use Dynamic Routing (OSPF): 1_Don't use floating IP for outside interfaces e1/2, e1/4. 2_Disable VR sync. (now we have 4 different routers on the 2 boxes) 3_Increase the metric of subnet 10.2.28.0/24 on VR1, VSYS1 on box 2 in OSPF configuration. 4_Increase the metric of subnet 10.2.29.0/24 on  VR2, VSYS2 on box 1 in OSPF configuration.     References: 1_HA-Active-Active-Tech-Note https://live.paloaltonetworks.com/t5/Documentation-Articles/Configuring-Active-Active-HA-PAN-OS-4-0/ta-p/58158?attachment-id=535 2_How to Configure OSPF https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF/ta-p/52283?attachment-id=2880     ... View more

Hello, Is there any way to know unused rules after device restart? Can the PA dig into available logs and recount? ... View more