Asymmetric routing
One thing to keep in mind when it comes to Palo Alto firewalls is that they session match on Zone and not Interface. This means if you have two interfaces in the same Zone, it will session match, and your traffic will not get dropped. Just remember you can have multiple paths and have traffic sent on Path-A, received on Path-B, and have no issues routing traffic as long as the Palo Alto FW is sending and/or receiving in the same Zone.
https://cordero.me/palo-alto-and-asymmetric-routing/
BFD
The firewall supports Bidirectional Forwarding Detection (BFD) (RFC 5880), a protocol that recognizes a failure in the bidirectional path between two routing peers. BFD failure detection is extremely fast, providing for a faster failover than can be achieved by link monitoring or frequent dynamic routing health checks, such as Hello packets or heartbeats. Mission-critical data centers and networks that require high availability and extremely fast failover need the extremely fast failure detection that BFD provides.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/bfd
Comments
Post a Comment