We run redundant solutions for a number of our customers and have always decoupled the routing and firewalling. I can think of one situation where the customer manages the BGP and firewall failover on their firewalls, it doesn't work too well. The issue as I see it is that in the event of a device failure if you only have firewalls you need to keep the firewall session states when failing over to the second device, the BGP sessions will not if in an active passive HA setup whereas user traffic states will. If you run in an active active setup, BGP states will remain up however user traffic states will not always be transferred. If you're only using one firewall then this is not going to be an issue but it depends if the solution you're deploying has only redundant connectivity or redundant equipment as well. My experience is mainly using Juniper routers and firewalls so not able to comment on the Palo Alto platform. Decoupling the two functions gives a much better model from an NSP sales perspective as it means you're able to sell failover with no managed equipment / just managed routers / full solution with routers and firewalls. -- --- Patrick Sumby Network Architect Sohonet On 07/12/2011 17:31, Gregory Croft wrote:
Hi All,
Does anyone have any experience with using firewalls as edge devices when BGP is concerned?
Specifically the Palo Alto series of devices.
If so please contact me off list.
Thank you.
Thank you,
Gregory S. Croft