Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
0
Helpful
4
Replies

WSAs load balancing

galin.gospodinov
Level 1
Level 1

‎01-25-2024 04:30 AM

Hello community, 

we have two WSAs which will work in transparent mode with PBR from Palo Alto. I made HA group with both of them. Is it a possible scenario if we redirect traffic to VRRP address or to both of them ? Do we need external load balancer in this deployment ? I am a little bit confused. 

Thank you!

Labels:
0 Helpful
4 Replies 4

Martin Kyrc
Level 3
Level 3

‎02-07-2024 04:56 AM

Hi,
you have several possibilities how to solve/design redundancy for WSA (SWA):

1. use CARP ("vrrp"). this solution is supported by WSA. you can "send" traffic to "vip" address by PBR (or any other "proxy routing" like manual settings or auto-proxy script on client's side). for this case is only active-backup scenario possible.
2. use load-balancer and then send traffic to "vip" address by PBR (similar story like step 1). in this case you can use 'active-active' scenario.
3. you can use also WCCP protocol (on L3 device in your network) and then you can use both WSA devices in the same type (a.k.a. active-active).

for your case is step 1 the correct design.

both WSAs are appliances or there is one (or both) virtual? when almost one is virtual, be careful about network settings on vmware side - there is required some "special" setings, because CARP protocol use multicast.

is this answer useful for you?

0 Helpful

galin.gospodinov
Level 1
Level 1
In response to Martin Kyrc

‎02-07-2024 05:42 AM

We have two appliances. Should this VRRP address should work, when we are using them in transparent mode(using PBR).
I thing this VRRP address add balancing only when the WSA is in explicit mode.
0 Helpful

Martin Kyrc
Level 3
Level 3
In response to galin.gospodinov

‎02-07-2024 07:11 AM

Yes, sure. I forgot write it. When you are using "transparent" redirection (PBR or WCCP) for the clients, then WSA (web proxy in general) must be in transparent mode (not in explicit mode). In this case CARP/VRRP is not possible to use, but you can use load-balancer instead.

One disadvantage of PBR is, that solution has no failure detection (ok, you can use load-balancer and there configure failure detection based on monitoring real WSA servers). Better solution without load-balancer here is to use WCCP, where failure detection is possible.

best practises for web proxy in transparent mode:
- use WCCP if there is L3/FW device that supports this protocol,
- use load-balancer if exists in your network (buying a load-balancer for this purpose is an expensive solution)

0 Helpful

Ken Stieers
VIP
VIP
In response to Martin Kyrc

‎02-07-2024 07:45 AM

Palo Altos have failure detection...
Look at the docs for how to do failover for 2 ISPs... Same thing, just only routing some ports to the WSA(s)
But it only works if the WSA is dead... if the IP is still reachable, the firewall may still see it as up, and not redirect traffic.


________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.
0 Helpful
Customers Also Viewed These Support Documents