This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Azure NGFW active-active HA and Panorama requirements

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Azure NGFW active-active HA and Panorama requirements

andrewkelleher
L0 Member

‎09-08-2020 05:28 AM

Hi, we're currently evaluating the use of NGFW's for a new Azure deployment.

 

Ideally, we need to deploy NGFW in an active-active HA pattern behind an Azure internal load balancer.

 

The documentation appears to state that Panorama is required to support this configuration. Is this a hard requirement? Is it possible to enable active-active with Config sync without Panorama?

 

Thanks.

 

0 Likes Likes
3 REPLIES 3

tostern
L3 Networker

‎09-09-2020 07:22 AM

Hi Andrew,

 

we talking here about two different things. the documentation is talking about Azure Autoscaling no we didnt use here a native HA configuration both firewalls are working independently. the is no Session Sync. the Panorama is taking care here about the increase and decrease of VM-Instances inside the VMSS and this is done via the AppInsight Metrics. 

 

the Native HA configuration is working in Azure but without a Loabbalancer in the Front or Back. look here about the Setup https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-the-vm-series-firewall-o...

 

I hope that helped you?

 

Regards,

Torsten

 

"With unity we can do great things"
0 Likes Likes

JoergSchuetter
L4 Transporter
In response to tostern

‎09-09-2020 07:53 AM

Hello

 

We have configured HA on Azure, but it turns out that is not the best setup. You don't need a loadbalancer (and therefore no additional virtual router if you have more than one interface behind a loadbalancer).

Unfortunately the failover (regardless of triggered manual or due to an failure) is very slow. The command "hey Azure, shift IP from from interface A to interface B" is triggered immediately. In our environment (trusted, untrusted + two additional IPs with public IP) it typically takes 3 up to 5 Minutes until the failover is completed.

0 Likes Likes

tostern
L3 Networker
In response to JoergSchuetter

‎09-09-2020 08:10 AM

Hi Jörg,

 

thats correct and thats a normal behaviour in Azure. The Problem here is the API call from Azure to detach and attach the interface.

 

Regards,

Torsten

"With unity we can do great things"
0 Likes Likes
  • 4286 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks