Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Azure NGFW active-active HA and Panorama requirements

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Azure NGFW active-active HA and Panorama requirements

L0 Member

Hi, we're currently evaluating the use of NGFW's for a new Azure deployment.

 

Ideally, we need to deploy NGFW in an active-active HA pattern behind an Azure internal load balancer.

 

The documentation appears to state that Panorama is required to support this configuration. Is this a hard requirement? Is it possible to enable active-active with Config sync without Panorama?

 

Thanks.

 

3 REPLIES 3

L3 Networker

Hi Andrew,

 

we talking here about two different things. the documentation is talking about Azure Autoscaling no we didnt use here a native HA configuration both firewalls are working independently. the is no Session Sync. the Panorama is taking care here about the increase and decrease of VM-Instances inside the VMSS and this is done via the AppInsight Metrics. 

 

the Native HA configuration is working in Azure but without a Loabbalancer in the Front or Back. look here about the Setup https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-the-vm-series-firewall-o...

 

I hope that helped you?

 

Regards,

Torsten

 

"With unity we can do great things"

Hello

 

We have configured HA on Azure, but it turns out that is not the best setup. You don't need a loadbalancer (and therefore no additional virtual router if you have more than one interface behind a loadbalancer).

Unfortunately the failover (regardless of triggered manual or due to an failure) is very slow. The command "hey Azure, shift IP from from interface A to interface B" is triggered immediately. In our environment (trusted, untrusted + two additional IPs with public IP) it typically takes 3 up to 5 Minutes until the failover is completed.

Hi Jörg,

 

thats correct and thats a normal behaviour in Azure. The Problem here is the API call from Azure to detach and attach the interface.

 

Regards,

Torsten

"With unity we can do great things"
  • 4779 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!