To test this feature, visit your live site.

Active Active Vwire IPS - PA

Hello, how are you, as always thanks for the support.

A client wants to remove their IPS tipping point and place their PA 1410 there, which only uses 3 L3 interfaces, due to load issues, performance everything is fine, it uses hopefully 1 to 6% of the load.

Currently their PA-1410 are HA active/passive, they told me that their IPS are also active/passive but now that I review and validate them, they are not active passive, but active/active because traffic passes in real time through each of them, then they are active/active because functional and operational traffic passes through both devices.

The IPS are in the middle of their switch cores, which both connections are generating traffic.

Now seeing this, a Palo Alto Active Passive model is not useful for me to put as a Vwire type IPS since I will have to:

In one PA, for example, put 2 interfaces and a vwire, in another PA put 2 Vwire interfaces, to interconnect each one with each core switch that both are forwarding traffic. But in the event of a failure on the IPS part, the Active / active of the L3 interfaces will work, because those interfaces are mirrored but those of the vwire, there will be a block in one PA and the other vwire block in the other PA.

The thing is that I must then first pass the PAs from active/passive to active to active from what I see.

Then I have my doubt on another point, in the trunk that passes there is a vlan, 100,200,300,350 and vlan "1" not tagged, is it possible to create a vwire with subinterfaces and leave VLAN 1 untagged?

As always, thank you for your time, comments, tips and collaboration.

Kind regards

4 comments

Comments (4)

Reaper

Oct 11, 2023

you can have subinterfaces for each tagged vlan (base interface is untagged) and thus apply different zones for each vlan

or you can put everything onto a single interface (no subinterfaces) but then you have the same zones for all flows/vlan tags

Reaper

Oct 09, 2023

hi there!

Would you be able to provide a network diagram? That will help formulate a more detailed and complete reply.

firstly: since youre only using 3 interfaces, you could free up 4 interfaces per chassis to run 2 vwires side by side, 1 for each ISP

secondly: you can enable vlan tags in vwire so you only pass the traffic that matches a certain vlan tag and block everything (vlan 1 for example) else: one caveat is that the vlan tag will persist on the ;other; side of the vwire so you'll need a switch or something that understands vlan tags on the other side as well

MetgatzGR

Oct 10, 2023

Replying to

Hello master @Reaper thank you as always for your valuable collaboration.

Currently the PA-1410 are in active passive HA operating with their 3 interfaces, ISP, LAN and dmz without any issue, replicated in active passive model without any problem, operating without issue that part of the L3, it does not change and will remain the same.

Now when we talk about the IPS tipping point, where the traffic that passes through these IPS in inline/bridge mode is vlan 1 (untagged traffic) vlan 100,200,300,350 through a block called CoreA, and in the second tipping point sensor, the following happens: CoreB itself passes Vlan 1 traffic (and must continue to pass Vlan 1 in both cores) 100,200,300,350.

So how physically you have 2 Palo Altos currently in active passive, with their L3 interfaces that are not touched and operating correctly since it was implemented. Now the issue is that they want to add these IPS tipping point services to the PA 1410. Due to traffic and performance issues there will be no problem. Now the issue is what I mentioned, I see that we will have to go to active active since there is a physical/logical block of a CoreA and a CoreB, where it is connected to each IPS Sensor of each block, so I have to do the same with either vware or with Layer2, to add its services.

Current situation:

Block 1-A:

Switch Extreme=============IPS-TP============SwitchCoreA

Block 2-B:

Extreme Switches==========IPS-TP===========SwitchCoreB

Now my question is that I can create subinterfaces either Layer2 or vwire where vlan 100,200,300,350 is tagged, but vlan 1, that is, untagged traffic from VLAN 1, does it pass through the vwire or Layer2 subinterfaces?

Thank you as always for your time, for your collaboration, for your advices

Best regards

MetgatzGR

Oct 10, 2023

Replying to

Hello @Reaper what do you think master ?

Forum: Forum