topic Request Advice – BGP Failover Route-Based IPsec VPN With WatchGuard (WG) in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/request-advice-bgp-failover-route-based-ipsec-vpn-with/m-p/1242101#M6466 <P data-start="421" data-end="433">Hi Everyone,</P> <P data-start="435" data-end="727">I’m looking for guidance on the best-practice way to set up <STRONG data-start="495" data-end="542">redundant route-based VPN tunnels using BGP</STRONG> between a <STRONG data-start="553" data-end="583">Palo Alto firewall (PA-VM)</STRONG> and a <STRONG data-start="590" data-end="613">WatchGuard firewall</STRONG>. The goal is to implement <STRONG data-start="640" data-end="670">primary/secondary failover</STRONG> with dynamic routing instead of static proxy-ID tunnels.</P> <H3 data-start="729" data-end="751"><STRONG data-start="733" data-end="751">&nbsp;Environment</STRONG></H3> <UL data-start="752" data-end="1348"> <LI data-start="752" data-end="792"> <P data-start="754" data-end="792"><STRONG data-start="754" data-end="768">Palo Alto:</STRONG> PAN-OS 10.x VM-Series</P> </LI> <LI data-start="793" data-end="844"> <P data-start="795" data-end="844"><STRONG data-start="795" data-end="810">WatchGuard:</STRONG> Firebox running latest firmware</P> </LI> <LI data-start="845" data-end="1102"> <P data-start="847" data-end="862"><STRONG data-start="847" data-end="860">Topology:</STRONG></P> <UL data-start="865" data-end="1102"> <LI data-start="865" data-end="908"> <P data-start="867" data-end="908">Two IPsec tunnels (Primary + Secondary)</P> </LI> <LI data-start="911" data-end="970"> <P data-start="913" data-end="970">Each terminates on different external IPs on both sides</P> </LI> <LI data-start="973" data-end="1037"> <P data-start="975" data-end="1037">Using <STRONG data-start="981" data-end="1000">Route-Based VPN</STRONG> on Palo Alto (tunnel.x interfaces)</P> </LI> <LI data-start="1040" data-end="1102"> <P data-start="1042" data-end="1102">Using <STRONG data-start="1048" data-end="1086">Tunnel Interfaces / VTI-equivalent</STRONG> on WatchGuard</P> </LI> </UL> </LI> <LI data-start="1103" data-end="1348"> <P data-start="1105" data-end="1116"><STRONG data-start="1105" data-end="1114">Goal:</STRONG></P> <UL data-start="1119" data-end="1348"> <LI data-start="1119" data-end="1153"> <P data-start="1121" data-end="1153">Run <STRONG data-start="1125" data-end="1132">BGP</STRONG> between PA &lt;--&gt; WG</P> </LI> <LI data-start="1156" data-end="1237"> <P data-start="1158" data-end="1237">Advertise internal subnets&nbsp;</P> </LI> <LI data-start="1240" data-end="1301"> <P data-start="1242" data-end="1301">Achieve seamless failover when one IPsec tunnel goes down</P> </LI> <LI data-start="1304" data-end="1348"> <P data-start="1306" data-end="1348">Avoid static proxy IDs and manual failover</P> </LI> </UL> </LI> </UL> <H3 data-start="1350" data-end="1375"><STRONG data-start="1354" data-end="1375">Current Status</STRONG></H3> <UL data-start="1376" data-end="1618"> <LI data-start="1376" data-end="1458"> <P data-start="1378" data-end="1458">I can bring up an IPsec SA on each tunnel individually using static proxy IDs.</P> </LI> <LI data-start="1459" data-end="1516"> <P data-start="1461" data-end="1516">Route-based tunnel (without proxy IDs) also comes up.</P> </LI> <LI data-start="1517" data-end="1618"> <P data-start="1519" data-end="1618">However, traffic flow between the subnets is inconsistent unless proxy IDs are manually configured.<BR /><BR />Please advise if you have any specific article to configure this setup on PA VM and Watchguard Model M670</P> </LI> </UL> <HR data-start="3495" data-end="3498" /> <P data-start="3500" data-end="3634">Thanks in advance for any guidance. I want to ensure this design is implemented cleanly and follows best</P> Tue, 18 Nov 2025 22:23:31 GMT PATECHENG 2025-11-18T22:23:31Z Request Advice – BGP Failover Route-Based IPsec VPN With WatchGuard (WG) https://live.paloaltonetworks.com/t5/next-generation-firewall/request-advice-bgp-failover-route-based-ipsec-vpn-with/m-p/1242101#M6466 <P data-start="421" data-end="433">Hi Everyone,</P> <P data-start="435" data-end="727">I’m looking for guidance on the best-practice way to set up <STRONG data-start="495" data-end="542">redundant route-based VPN tunnels using BGP</STRONG> between a <STRONG data-start="553" data-end="583">Palo Alto firewall (PA-VM)</STRONG> and a <STRONG data-start="590" data-end="613">WatchGuard firewall</STRONG>. The goal is to implement <STRONG data-start="640" data-end="670">primary/secondary failover</STRONG> with dynamic routing instead of static proxy-ID tunnels.</P> <H3 data-start="729" data-end="751"><STRONG data-start="733" data-end="751">&nbsp;Environment</STRONG></H3> <UL data-start="752" data-end="1348"> <LI data-start="752" data-end="792"> <P data-start="754" data-end="792"><STRONG data-start="754" data-end="768">Palo Alto:</STRONG> PAN-OS 10.x VM-Series</P> </LI> <LI data-start="793" data-end="844"> <P data-start="795" data-end="844"><STRONG data-start="795" data-end="810">WatchGuard:</STRONG> Firebox running latest firmware</P> </LI> <LI data-start="845" data-end="1102"> <P data-start="847" data-end="862"><STRONG data-start="847" data-end="860">Topology:</STRONG></P> <UL data-start="865" data-end="1102"> <LI data-start="865" data-end="908"> <P data-start="867" data-end="908">Two IPsec tunnels (Primary + Secondary)</P> </LI> <LI data-start="911" data-end="970"> <P data-start="913" data-end="970">Each terminates on different external IPs on both sides</P> </LI> <LI data-start="973" data-end="1037"> <P data-start="975" data-end="1037">Using <STRONG data-start="981" data-end="1000">Route-Based VPN</STRONG> on Palo Alto (tunnel.x interfaces)</P> </LI> <LI data-start="1040" data-end="1102"> <P data-start="1042" data-end="1102">Using <STRONG data-start="1048" data-end="1086">Tunnel Interfaces / VTI-equivalent</STRONG> on WatchGuard</P> </LI> </UL> </LI> <LI data-start="1103" data-end="1348"> <P data-start="1105" data-end="1116"><STRONG data-start="1105" data-end="1114">Goal:</STRONG></P> <UL data-start="1119" data-end="1348"> <LI data-start="1119" data-end="1153"> <P data-start="1121" data-end="1153">Run <STRONG data-start="1125" data-end="1132">BGP</STRONG> between PA &lt;--&gt; WG</P> </LI> <LI data-start="1156" data-end="1237"> <P data-start="1158" data-end="1237">Advertise internal subnets&nbsp;</P> </LI> <LI data-start="1240" data-end="1301"> <P data-start="1242" data-end="1301">Achieve seamless failover when one IPsec tunnel goes down</P> </LI> <LI data-start="1304" data-end="1348"> <P data-start="1306" data-end="1348">Avoid static proxy IDs and manual failover</P> </LI> </UL> </LI> </UL> <H3 data-start="1350" data-end="1375"><STRONG data-start="1354" data-end="1375">Current Status</STRONG></H3> <UL data-start="1376" data-end="1618"> <LI data-start="1376" data-end="1458"> <P data-start="1378" data-end="1458">I can bring up an IPsec SA on each tunnel individually using static proxy IDs.</P> </LI> <LI data-start="1459" data-end="1516"> <P data-start="1461" data-end="1516">Route-based tunnel (without proxy IDs) also comes up.</P> </LI> <LI data-start="1517" data-end="1618"> <P data-start="1519" data-end="1618">However, traffic flow between the subnets is inconsistent unless proxy IDs are manually configured.<BR /><BR />Please advise if you have any specific article to configure this setup on PA VM and Watchguard Model M670</P> </LI> </UL> <HR data-start="3495" data-end="3498" /> <P data-start="3500" data-end="3634">Thanks in advance for any guidance. I want to ensure this design is implemented cleanly and follows best</P> Tue, 18 Nov 2025 22:23:31 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/request-advice-bgp-failover-route-based-ipsec-vpn-with/m-p/1242101#M6466 PATECHENG 2025-11-18T22:23:31Z