AA(Active/Active) vs AP(Active/Passive) Palo Alto Firewalls

In today’s high-performance enterprise networks, ensuring firewall redundancy and scalability is critical. Palo Alto firewalls offer two high-availability (HA) modes: active/passive (A/P) and active/active (A/A). While A/P is simpler, A/A is gaining traction for complex environments, such as data centers with multiple WAN routers and spine-and-leaf architectures. In this post, I’ll dive into the pros and cons of deploying Palo Alto firewalls in an active/active configuration, focusing on a setup with dual Layer 3 interfaces running OSPF to connect to WAN routers and Ethernet links to a Cisco spine-and-leaf fabric. I’ll also explore why A/A might be the better choice over A/P, especially for reducing reliance on Layer 2 switches, minimizing points of failure, and optimizing costs. Whether you’re a network engineer or an IT decision-maker, this post will help you weigh the trade-offs and design a robust firewall infrastructure.

Understanding Active/Active vs. Active/PassiveBefore we dive in, let’s clarify the two HA modes:

• Active/Passive (A/P): One firewall actively processes traffic while the other remains in standby, ready to take over during a failover. Configurations and session states are synchronized, ensuring minimal disruption.
• Active/Active (A/A): Both firewalls process traffic simultaneously, sharing session and routing tables. A/A is designed for environments with complex routing, load sharing, or asymmetric traffic flows, requiring additional HA links (e.g., HA3 for packet forwarding).

Pros of Active/Active Palo Alto Firewalls:

• Maximized Resource Utilization: Both firewalls process traffic, leveraging the full capacity of the HA pair. In a spine-and-leaf fabric, where east-west traffic can spike, A/A ensures no hardware sits idle.
• Faster Failover for Active Traffic: Since both firewalls are active, failover for ongoing sessions is often quicker than in A/P, where the passive unit must fully activate. This is critical for maintaining OSPF adjacencies with WAN routers.
• Asymmetric Routing Support: A/A handles scenarios where traffic egresses through one firewall and returns via another, using the HA3 link to forward packets to the session owner. This is common with multiple WAN routers and ECMP routing.
• Seamless OSPF Integration: Both firewalls maintain active OSPF neighbor relationships with WAN routers, ensuring continuous routing updates and load sharing without relying on floating IPs or VRRP.
• Reduced Layer 2 Dependency: By using Layer 3 interfaces to connect directly to WAN routers, A/A eliminates the need for intermediate Layer 2 switches, reducing points of failure, cabling complexity, and patching costs.
• Scalability for Data Centers: A/A supports high-throughput environments like Cisco spine-and-leaf fabrics, where traffic from leaf switches can be distributed across both firewalls, minimizing bottlenecks.

Cons of Active/Active Palo Alto Firewalls:

• Configuration Complexity: A/A requires intricate setups, including HA3 links, session owner/setup roles, and synchronized OSPF configurations. Missteps can lead to session drops or routing loops.
• Potential Session Drops: During failover or when a firewall rejoins, OSPF reconvergence may outpace session synchronization, causing temporary packet loss for stateful applications like VPNs.
• Higher Resource Overhead: Both firewalls actively process traffic, consuming more CPU and memory than A/P, where the passive unit is idle. This can impact performance in resource-intensive scenarios.
• No Inherent Load Balancing: A/A doesn’t automatically balance traffic; external mechanisms like ECMP or load balancers are needed, adding complexity to the WAN router setup.
• Limited Layer 2 Support: A/A is only supported in Layer 3 and virtual wire modes, not Layer 2. If your spine-and-leaf fabric requires VLAN switching, you may need virtual wire interfaces, increasing complexity.
• Increased Hardware Costs: Dedicated HA3 links and identical firewall specs add to cabling and port expenses compared to A/P, where the passive unit might use lower-spec hardware (though not ideal).

Infrastructure Design of firewalls in a network with WAN routers, OSPF, and a Cisco spine-and-leaf fabric requires careful design to ensure reliability and performance:

1. Minimizing Points of Failure:
   • Layer 2 Switch Reduction: As I’ve emphasized, direct Layer 3 connections to WAN routers via OSPF eliminate Layer 2 switches, reducing risks like Spanning Tree Protocol (STP) issues or switch failures. This simplifies cabling and lowers maintenance costs.
   • WAN Router Redundancy: Ensure WAN routers are redundant and support OSPF failover to maintain adjacencies with both firewalls. A single router failure could disrupt traffic without ECMP or backup routes.
   • Spine-and-Leaf Resilience: The Cisco fabric’s non-blocking design is robust, but aggregate Ethernet links (e.g., via LACP) to leaf switches to prevent link failures from impacting firewall connectivity.
2. OSPF Stability:
   • Configure consistent OSPF timers (e.g., hello/dead intervals) to prevent adjacency flapping during failover. Enable OSPF Graceful Restart to maintain neighbor relationships, ensuring minimal disruption.
   • Both firewalls must advertise consistent routes to avoid instability in the routing table.
3. Session Synchronization:
   • The HA3 link is critical for forwarding packets in asymmetric routing scenarios. Use high-speed links (e.g., 10Gbps) to handle data center traffic volumes and ensure low latency.
   • Monitor HA3 link health to prevent session drops for applications requiring stateful inspection.
4. Hardware and Patching Costs:
   • Direct Layer 3 connectivity reduces the need for Layer 2 switches, saving on hardware and patching. However, A/A’s HA3 links and high-speed Ethernet connections to the spine-and-leaf fabric add to cabling costs.
   • Balance these costs against the benefits of simplified infrastructure and fewer failure points.
5. Failover Performance:
   • A/A offers faster failover for active traffic but requires tuning to avoid session drops when a firewall rejoins. Scripts or manual delays can ensure session synchronization completes before OSPF reconvergence.
6. Operational Expertise:
   • A/A’s complexity demands skilled engineers familiar with OSPF, HA configurations, and spine-and-leaf architectures. Invest in training or monitoring tools to manage this setup effectively.
7. Security Policy Consistency:
   • Both firewalls must enforce identical policies to avoid inconsistent traffic handling. Regular audits and automation tools can help maintain alignment.

Why Choose Active/Active Over Active/Passive? Reducing Layer 2 switch involvement and failure points:

1. Asymmetric Routing Support: A/A excels in environments with multiple WAN routers and potential asymmetric traffic paths, common in ECMP setups or spine-and-leaf fabrics. A/P struggles with asymmetry, as the passive unit doesn’t process traffic, risking session drops.
2. Eliminating Layer 2 Switches: Direct Layer 3 interfaces to WAN routers via OSPF reduce reliance on Layer 2 switches, lowering the risk of STP issues, switch failures, or patching errors. This aligns with my goal of minimizing equipment and maintenance costs.
3. Enhanced Performance: A/A leverages both firewalls to handle high traffic volumes from the Cisco spine-and-leaf fabric, unlike A/P, where the passive unit sits idle, potentially creating bottlenecks.
4. OSPF Integration: A/A allows both firewalls to maintain active OSPF adjacencies with WAN routers, ensuring seamless routing updates and failover. A/P relies on the active unit, which may delay failover as the passive unit establishes adjacencies.
5. Fewer Points of Failure: By bypassing Layer 2 switches, A/A reduces infrastructure complexity and potential failure points, enhancing overall reliability.
6. Scalability for Future Growth: A/A supports advanced use cases like multi-ISP setups or load balancers, making it ideal for evolving data center networks with spine-and-leaf architectures.

However, A/P may still be preferable for simpler networks or where configuration ease and lower resource usage are priorities. The choice depends on your network’s complexity and performance needs.

Additional Perspectives:

• Cost-Benefit Trade-Offs: While A/A reduces Layer 2 switch costs, its HA3 links and configuration complexity may offset savings. Evaluate hardware and operational costs against the benefits of resilience and performance.
• Monitoring and Troubleshooting: Use robust tools (e.g., Palo Alto’s HA widget, Cisco’s fabric monitoring) to track OSPF adjacency status, session synchronization, and link health. A/A’s complexity requires proactive monitoring to prevent issues like traffic blackholing.
• Skill Requirements: A/A demands expertise in OSPF, HA, and spine-and-leaf architectures. Smaller teams may need training or external support to manage this setup.
• Future-Proofing: A/A aligns with modern trends like software-defined networking (SDN) and multi-cloud connectivity, making it a scalable choice for growing networks.
• Alternatives: Consider independent firewalls with load balancers (e.g., F5) or Cisco ACI with integrated security policies to simplify HA while maintaining redundancy.

Conclusion:

Deploying Palo Alto firewalls in an active/active configuration offers compelling benefits for complex networks with multiple WAN routers, OSPF, and Cisco spine-and-leaf fabrics. By maximizing resource utilization, supporting asymmetric routing, and reducing Layer 2 switch dependency, A/A enhances performance and reliability while minimizing failure points and maintenance costs. However, its configuration complexity and resource demands require careful planning, robust monitoring, and skilled staff. For high-throughput, dynamic environments, A/A is often the superior choice over A/P, but weigh the trade-offs based on your network’s needs.