Can Palo notice and react to a flapping Internet link?

Andreikin — Thu, 01 Feb 2024 14:59:13 GMT

Hi All,

We have simple setup, when firewall is connected over physical interface to a L2 switch, while L2 switch is connected to 2 CPEs of different ISPs. Obviously, next hop for our firewall going out is an interface of the CPE. We are tracking default routes for both ISP using route monitoring feature.

Unfortunately, that does not seem to cover a situation when you have a flapping Internet link between L2 switch and any of CPE. Yes, you can go aggressive, add that CPE address in default route monitoring and have pings sent every second, so at the minimum if for 3 seconds there's no response - it will remove default route, but such thing also increase the possibility of false-positives as we also monitor some external destinations.

Is there any more elegant way of catching flapping internet link?

Re: Can Palo notice and react to a flapping Internet link?

reaper — Fri, 02 Feb 2024 13:21:55 GMT

if this helps: if you set up path monitor in your VR, the path will always be sourced from the source IP you configure, so if you use both ISPs to monitor the same destination and one ISP goes down, only one probe will fail

if the remote IP goes down, you do get a false negative (which can be fixed by setting different destination IP or something that's been set up redundantly)

if one ISP is very prone to extended periods of flapping, you could create an HA path monitor that fails over when such case is detected, and only connect the reliable ISP to the second firewall

topic Can Palo notice and react to a flapping Internet link? in Next-Generation Firewall Discussions

Can Palo notice and react to a flapping Internet link?

Re: Can Palo notice and react to a flapping Internet link?