This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VM-Series Virtual Next-Generation Firewalls with Session Resilience in Google Cloud Platform (GCP)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VM-Series Virtual Next-Generation Firewalls with Session Resilience in Google Cloud Platform (GCP)

tzahroof
L2 Linker
‎03-27-2024 12:36 PM

Title_NGFW Session Resilence_palo-alto-networks.jpg

 

Have you wanted the ability to auto-scale your Palo Alto Networks VM-Series Virtual Next-Generation Firewall, but also have session resiliency in the case of failover? With the release of Cosmos PAN-OS 11.1, your firewalls can now auto-scale and have session resilience in case of failover.

 

VM-Series Architecture in GCP

 

Most customers deploy VM-Series virtual firewalls in the “hub” of a hub and spoke architecture, customers can automatically ensure inspection of traffic ingressing and egressing into a GCP environment, while also guaranteeing that inter-VPC traffic routes through the VM-Series. By deploying VM-Series behind a load balancer (or a load balancer sandwich in the below image), businesses can also spin-up and spin-down VM-Series firewalls as their network traffic fluctuates, scaling network security as their infrastructure grows. In other words, security never becomes the bottleneck for application development.

 

Fig 1_NGFW Session Resilence_palo-alto-networks.png

 

However, auto-scaling VM-Series firewalls did not sync sessions, meaning that a session would be lost if a firewall were to fail. Organizations could deploy VM-Series in High Availability (HA) Active-Passive to solve for this issue, but doing so would force them to resize (and reboot) their firewalls in the case that they needed to (manually) increase their network security throughput inspection, since HA only supports 2 firewalls.

 

Fig 2_NGFW Session Resilence_palo-alto-networks.png

 

Introducing: Software Firewall Clustering

 

Software Firewall Clustering works by syncing VM-Series sessions with a Redis Database. Architecturally, VM-Series would be deployed in the same load-balancing sandwich as auto-scaling. However, in the case that a VM-Series firewall were to fail, the load balancer would forward the session to another (healthy) firewall in the cluster. That new firewall would retrieve the session information from the Redis Database, continuing the policy in seconds without any interruption to the traffic. 

 

Fig 3_NGFW Session Resilence_palo-alto-networks.png

 

Currently, Software Clustering is supported only in AWS and GCP, since only their load balancers will forward traffic to a different firewall in the case of session failure.

 

Wanna Learn More?

 

 

0 Likes Likes
  • 754 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks