Doubt
asked on
Firewalls Cluster
Can I make a cluster of 3 palo alto firewalls, 2 that are active in the same data center and 1 in standby in another data center.
And the same for checkpoint firewalls.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The networks will be different.
The issue deals with the IPs.
The IP that is used for communications among the cluster members might span two locations, the issue is the Failover WAN IP and the LAN IP is at issue.
I would think a scenario where you have Location A and Location B as the DR failover, you would have the DR location with Their OWN LAN Ips, and Firewall that would be updated by a process given you need to deploy the DR systems or if you use virtualization has a replica type of deployment.
You have to cover what a DR you are trying to handle as there are multiple-points of possible failure, on the outside the network feed is gone at location A, all of them.
Then second which the Cluster pair seem to prevent, both FW die.
then both switches die
then the VM host dies
etc.
the I would think the scenario you are planing for might best be discussed with Palo Alto based on which equipment you have and which scenarios you wish to address (and whether you own your Own IPs such that you have peering arrangements to advertise your public IPs from the DR location B....
Same would apply to checkpoint.
The issue deals with the IPs.
The IP that is used for communications among the cluster members might span two locations, the issue is the Failover WAN IP and the LAN IP is at issue.
I would think a scenario where you have Location A and Location B as the DR failover, you would have the DR location with Their OWN LAN Ips, and Firewall that would be updated by a process given you need to deploy the DR systems or if you use virtualization has a replica type of deployment.
You have to cover what a DR you are trying to handle as there are multiple-points of possible failure, on the outside the network feed is gone at location A, all of them.
Then second which the Cluster pair seem to prevent, both FW die.
then both switches die
then the VM host dies
etc.
the I would think the scenario you are planing for might best be discussed with Palo Alto based on which equipment you have and which scenarios you wish to address (and whether you own your Own IPs such that you have peering arrangements to advertise your public IPs from the DR location B....
Same would apply to checkpoint.
Just because the firewalls are in two different DCs doesn't automatically mean the IPs will be different. The DCs may be linked with dark fibre, OTV, etc. We just don't know.
Generally you can't do active/active/passive. It's either active/active or active/passive.
Generally you can't do active/active/passive. It's either active/active or active/passive.
ASKER