12-15-2023 06:10 AM
Dear Folks,
I want to setup Panorma High availability between two different data centers [Netherland-Germany] I have checked the latecny is allowed upto 1000 ms. I have some following doubts.
1. since these DC's running different Ip address spce so for HA communication between these peers have two different Ip address, is not an constrains? As long as we have reachbility[L3/L4 level] will it work?
2. since both peers are geographically seperated is there any nessasity to use SFP+ ports? that too PA has eth2/3 are in LAG ports[Viz M700 appliance]
3. As per admin guide, peer communication on MGT port then what is the purpose of Eth1/1 port, how do we configure dedicated HA for panorama
12-18-2023 09:36 PM
I have some following Questions:
As per M700 SFP+ ports eth1/2 and eth1/3 bundled called as Bond1 interface, in what use cases we use this bundle interface in Panorama, Is Data traffic [Communication between Managed firewalls and Panorama]. One of the use cases I could think off, if we want to achieve level redundancy to be achieved. Is that right understanding?
However, if we go for M-300 as there is no interface redundancy available, what would the solution for M300 redundancy [interface level]
12-19-2023 04:48 AM
Hi Ramakrishnan
I have no idea if HA will work over 2 separate sites however, I can advise that you will need to add a variable template to the interfaces of each firewall as 'I would assume' these will be 2 different VLAN's (Unless you utilise OTV?), different internet addresses and a possible DMZ in there too. Please see below a guide to Templates.
Panorama > Templates > Template Variables (paloaltonetworks.com)
On a side note, Have you thought of utilising BGP routing and adding it to an internal routing protocol? Maybe you could go with an Active/Active set up or Active/Standby but the latency might be a bit much for those in the other country.
12-19-2023 09:04 AM - edited 12-19-2023 10:56 AM
The HA peers use the management (MGT) interface to synchronize the configuration elements pushed
to the managed firewalls, Log Collectors, and WildFire appliances and appliance clusters to
maintain state information. Typically, Panorama HA peers are geographically located in different
sites, so you need to make sure that the MGT interface IP address assigned to each peer is
routable through your network
What is the use of Ether1 ports for log collection..?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
