https://live.paloaltonetworks.com/t5/next-generation-firewall/isp-failover-with-dual-dynamic-public-ips/m-p/519398#M517 <P>Hello,</P> <P>&nbsp;</P> <P>I have two ISPs with Dynamic Public IPs.&nbsp; Is there a way to setup ISP failover?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Bill</P> Thu, 27 Oct 2022 14:31:43 GMT Bill-Jerome 2022-10-27T14:31:43Z https://live.paloaltonetworks.com/t5/next-generation-firewall/isp-failover-with-dual-dynamic-public-ips/m-p/519398#M517 <P>Hello,</P> <P>&nbsp;</P> <P>I have two ISPs with Dynamic Public IPs.&nbsp; Is there a way to setup ISP failover?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>Bill</P> Thu, 27 Oct 2022 14:31:43 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/isp-failover-with-dual-dynamic-public-ips/m-p/519398#M517 Bill-Jerome 2022-10-27T14:31:43Z https://live.paloaltonetworks.com/t5/next-generation-firewall/isp-failover-with-dual-dynamic-public-ips/m-p/519489#M519 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/136352">@Bill-Jerome</a> ,</P> <P>&nbsp;</P> <P>Great question.&nbsp; I don't think it can be done with 1 NGFW because both static route path monitoring and PBF require a next hop to be configured.&nbsp; As I understand your scenario, your default routes are learned dynamically.&nbsp; However, with 2 NGFWs, you could enable Path Monitoring with 1 ISP on each NGFW.&nbsp; If you wanted to load balance between the two, it can be done but would be complicated.&nbsp; Primary/Standby would be the easiest scenario.</P> <P>&nbsp;</P> <P>It is very important that you use multiple Internet IP addresses and set your Failure Condition to all so that if one Internet server goes down you do not fail over.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> <P>&nbsp;</P> <P>Edit:&nbsp; How often do your IP addresses change?&nbsp; You could do it with 1 NGFW and update your next hops whenever the IP address changes.</P> <P><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO</A></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based-forwarding/use-case-pbf-for-outbound-access-with-dual-isps" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/policy-based-forwarding/use-case-pbf-for-outbound-access-with-dual-isps</A></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/device/device-high-availability/ha-link-and-path-monitoring" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/device/device-high-availability/ha-link-and-path-monitoring</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 28 Oct 2022 01:36:04 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/isp-failover-with-dual-dynamic-public-ips/m-p/519489#M519 TomYoung 2022-10-28T01:36:04Z https://live.paloaltonetworks.com/t5/next-generation-firewall/isp-failover-with-dual-dynamic-public-ips/m-p/519492#M520 <P>Thanks for the feedback.&nbsp; I was thinking about the next hop option too but was hoping for a way to use a FQDN for the next hop but that seem like wishful thinking.&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Thanks,</P> <P>Bill</P> Fri, 28 Oct 2022 03:29:40 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/isp-failover-with-dual-dynamic-public-ips/m-p/519492#M520 Bill-Jerome 2022-10-28T03:29:40Z