FTD Design Question

SivaPrabhala · ‎06-07-2024

Is there a way to Connect FTD in HA to Palo Active and Passive without a layer-2 switch in between? With pure Layer-3 set up, I couldn't think of a solution. May be it's possible, if Palo sees only single VIP address and single MAC? Attaching my setup. Appreciate any help.

Also, If I create Po1 and add eth/13 to it and eth/16 to Po2, Passive should have same config right? I know, With this setup, one of the LACP will be down and second PO won't come up till Palo Failover but I couldn't think of solution without introducing a L2 switch in between.

Reason for this discussion: FTD Active and standby IP can not be on different subnets. Current setup has single link from FTD-1 to Active FW and single link from FTD-2 to Palo passive. So is HA is not up technically even though configured,

Thanks!!

ccieexpert · ‎06-08-2024

this will not work and even it it did, then would not be a good design..

For the firewalls to detect failure, they have to talk and monitor the data interfaces. You should put two layer 2 switches in a stack(cluster, VPC etc) for maximum redundancy.. Why are you trying to avoid a switch ?

Sheraz.Salim · ‎06-08-2024

No, it is not possible to connect FTD in HA to Palo Alto Active and Passive firewalls without a layer-2 switch in between using a pure Layer-3 setup. This is because High Availability (HA) requires that both FTD firewalls be able to see each other's MAC addresses in order to communicate and synchronize state information.

In a Layer-3 setup, routers do not forward MAC addresses by default. This means that the Palo Alto firewalls would only see the VIP address of the FTD HA pair, and not the individual MAC addresses of the FTD firewalls. This would prevent the FTD firewalls from establishing a HA connection.

Here's a breakdown of the issue in your setup:

- FTD-1 and FTD-2 have their standby IP addresses on the same subnet (10.1.1.x). This is a requirement for FTD HA.
- Each FTD firewall is connected to a different Palo Alto firewall (FTD-1 to Palo Alto-1, FTD-2 to Palo Alto-2).
- Palo Alto firewalls are configured with a single HA link for each FTD firewall.

Since there is no Layer-2 switch, the Palo Alto firewalls will only see the VIP address of the FTD HA pair (10.1.1.2) and not the individual MAC addresses of the FTD firewalls. This prevents the FTD firewalls from establishing a HA connection.

Possible solutions:

Introduce a Layer-2 switch between the FTD firewalls and the Palo Alto firewalls. This would allow the Palo Alto firewalls to see the individual MAC addresses of the FTD firewalls.
Configure the Palo Alto firewalls to use Layer-3 HA. This is a more complex configuration, but it would allow the Palo Alto firewalls to communicate with the FTD firewalls over a Layer-3 network.

If you are unable to introduce a Layer-2 switch, then you will need to configure the Palo Alto firewalls to use Layer-3 HA. This will require additional configuration on both the Palo Alto firewalls and the FTD firewalls.

Here are some additional points to consider:

Your configuration for Po1 and Po2 on the FTD firewalls looks correct. However, as you mentioned, one of the LACP links will be down until there is a failover event on the Palo Alto firewalls.
FTD Active/Standby failover can only occur within the same subnet. Your current setup meets this requirement.

please do not forget to rate.

ccieexpert · ‎06-08-2024

port channel will NOT work as the firepower excepts all members of primary to be part of the same channel group.. i have seen this kind of scenario break... I would not suggest PO in this case. the best solution is to go with layer2 switch and doing l3 routing (dynamic) between the firewalls. you can also do static routing but not the best option...