1 Reply Latest reply on Feb 8, 2019 12:45 PM by vswitchzero

    VM-Series for NSX implementation - High Availability

    rch Lurker
    rch Feb 6, 2019 8:48 PM

      Hello,

       

      Per the link below, Palo Alto VM-Series and Panorama integration with NSX implementation doesn't offer high availability.

      VM-Series in High Availability

       

      so the question is If the VM-Series appliance on ESXi host fails/crashes due to any reason, what are the options to immediately recover from failure?

       

      When I power down the firewall appliance on one of the hosts, the traffic (where that host is source or destination) stops.

      I deleted the firewall appliance and then redeployed it but new firewall appliance had a different uuid so required registration/licensing.

       

      Regards

        • 1. Re: VM-Series for NSX implementation - High Availability
          vswitchzero Enthusiast
          vExpert
          vswitchzero Feb 8, 2019 12:45 PM (in response to rch)

          Hi rch,

           

          With 3rd party service appliances, there is the option to 'fail open' in the event of a failure. By default, NSX will drop all traffic if it can't be forwarded to the PAN SVM via the dvfilter slowpath, which is normal in the 'fail closed' configuration. This can happen if the appliance hangs up, crashes or gets powered off for whatever reason. In a 'fail open' scenario, the PAN slowpath is bypassed in the event of a failure. Obviously there can be security considerations here. If L7 filtering is critical, this is probably not an option for you. The DFW (slot-2) filtering will continue to work, but all inspection by the PAN will be bypassed.

           

          Hope this helps.

          My blog: https://vswitchzero.com
          Follow me on Twitter: @vswitchzero