Palo Alto Active/Active vWire Design

Below is the design we are going to look at:


The reason for using vwire was because we wanted the routing protocol to dictate the routing paths. Let the routing protocol do all the failovers and path selecting while the PA sits there and does it’s job with the more security oriented tasks. The “BEFORE” is basically a vwire with no failover option between the PA Firewalls. The PA Firewalls are not aware of each other. In the “AFTER”, we are using an active/active configuration.

The “BEFORE” was actually a recommendation from PA so we went with it for a little while. I decided to change it to “AFTER”. Below is the reason.

The reason for the change above was because if PA-A’s links 1 or 2 goes down, we would swing over to PA-B. A failover will trigger because we are doing “Link and Path Monitoring”. The problem is that we will now be forced to use Router-B which means we will be running off of our secondary backup MPLS link when there’s nothing wrong with the primary MPLS link. This involves a BGP failover (BGP convergence) which should be automated because we are doing some PBR. BGP convergence is also tuned but I won’t go in that here. So basically if PA-A’s links 1 or 2 go down, we swing traffic over to secondary backup MPLS link which we don’t want. I always want to avoid any type of hard failover over the WAN or Internet whenever possible. I’d rather the internal gateway protocol (IGRP) handle the traffic instead because of how much more quickly and efficient they are when compared to BGP.

AFTER” solves this by going to a vwire active/active configuration. If you look at the diagram, we are moving the X-Bar cabling from the bottom to the top. Now if you run through the same scenario as above where ports 1 or 2 goes down, we will still use our Primary MPLS connection. You’ll notice you still failover to PA-B but traffic will still be sent to Router-A, hence we keep using our Primary MPLS link. Always visualize it without the PA’s in place first because a lot of people get confused when they see them in there. Remove them and just look a the paths between the 7K’s and the routers. All you are doing is placing the PA FW’s in between.

You can’t keep the lower X-Bar from “BEFORE” because of the way you setup vwire link mappings. It’s a one to one configuration mainly because of session handling and states. So you can’t map port 1 on PA-A to Port 2 on PA-B.

Due to the nature of dynamic routing protocols, asymmetric routing could take place and you need to set the firewall up to ignore it. If you don’t, it will block the traffic. This is set in the “Zone Protection Profile“.


More Stories
CenturyLink Cloud Connect Options