I love HA (High Availability), but I only when the price is right. As a Palo Alto Networks customer in a mid-market company, it can get a little expensive. When our company was about half the size that we are now, I was rocking a pair of HA PA-500’s. Now those won’t quite cut it, and I’ve got a single PA-3020 at HQ and a single PA-3020 in our offsite datacenter rack.
Where’s the redundancy? Well, I also have a Cisco 2901 at each location tied to our MPLS, a separate circuit/provider than our DIA. If I lose either box or either circuit, I can fail over to either VPN tunnel or tunnel Internet through MPLS. So it works for me as good enough, as much as I’d love to trade the Cisco 2901’s for HA PA-3020’s.
I’m currently working on a project to migrate from MPLS to SD-WAN over broadband. Most of our 16 locations are small branches with expensive T1’s, so this will be a major improvement with huge cost savings (We are talking about $250k over 3 years) I made the decision for Meraki MX devices. It was a bit tough. I was sold on Silver Peak for the longest time, but I couldn’t justify the extra cost. Plus the Meraki stuff is so ridiculously simple (almost to a fault in some areas), that I think I’ll be able to get my team more involved in networking as a result.
So tonight was the night to put in the MX84 at HQ. The trick was to put both firewalls onto the same Internet connection. Eventually, we will have another DIA from another provider for circuit redundancy before we kill the MPLS, but for now I need both the AutoVPN and our normal Internet to use the same connection.
If I was setting up HA boxes, this is simple. I just need to place an edge switch between the Internet interface and the HA pair. In an HA setup, you would have either a physical switch or a carved out isolated VLAN for it to plug into first. Then you would run your two cables out of that switch into each HA box. The same thing works for independent firewalls as long as you have multiple static IPs and are handling your core routing on a different box. In my case, I am handling core routing on a Brocade stack.
For me, I have multiple 1-to-1 NAT on my Palo Alto, but I took an available IP address and assigned it statically to the outside interface of my MX84. I told my core router that if I want to talk to one of my VPN networks, I need to take the next hop of the MX84 address. The rest of the addresses point to our MPLS router, and our default 0.0.0.0/0 points to the Palo Alto.
Done and done. More to come on this project.