Hi, we're currently evaluating the use of NGFW's for a new Azure deployment.
Ideally, we need to deploy NGFW in an active-active HA pattern behind an Azure internal load balancer.
The documentation appears to state that Panorama is required to support this configuration. Is this a hard requirement? Is it possible to enable active-active with Config sync without Panorama?
we talking here about two different things. the documentation is talking about Azure Autoscaling no we didnt use here a native HA configuration both firewalls are working independently. the is no Session Sync. the Panorama is taking care here about the increase and decrease of VM-Instances inside the VMSS and this is done via the AppInsight Metrics.
the Native HA configuration is working in Azure but without a Loabbalancer in the Front or Back. look here about the Setup https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-the-vm-series-firewall-o...
I hope that helped you?
We have configured HA on Azure, but it turns out that is not the best setup. You don't need a loadbalancer (and therefore no additional virtual router if you have more than one interface behind a loadbalancer).
Unfortunately the failover (regardless of triggered manual or due to an failure) is very slow. The command "hey Azure, shift IP from from interface A to interface B" is triggered immediately. In our environment (trusted, untrusted + two additional IPs with public IP) it typically takes 3 up to 5 Minutes until the failover is completed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!