https://live.paloaltonetworks.com/t5/general-topics/daul-isp-and-specific-isp-routing/m-p/487480#M104720 <P>Good Afternoon All</P><P>&nbsp;</P><P>I have read the various methods for Dual ISP configuration and they make sense. I could not find one last detail and I was hoping someone here could help.</P><P>&nbsp;</P><P>Desired Configuration:</P><P>&nbsp;</P><P>ISP 1 = Active for outbound traffic during normal operations.</P><P>ISP 2 = Inactive</P><P>1 Client IP on the internet network to have its traffic routed out via ISP 2</P><P>&nbsp;</P><P>Basically the IP phone system needs to use ISP 2 all the time, but we need all other client to use ISP1 unless ISP is down.</P><P>&nbsp;</P><P>Hope this makes sense.</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 16 May 2022 15:27:55 GMT Mort2k 2022-05-16T15:27:55Z https://live.paloaltonetworks.com/t5/general-topics/daul-isp-and-specific-isp-routing/m-p/487480#M104720 <P>Good Afternoon All</P><P>&nbsp;</P><P>I have read the various methods for Dual ISP configuration and they make sense. I could not find one last detail and I was hoping someone here could help.</P><P>&nbsp;</P><P>Desired Configuration:</P><P>&nbsp;</P><P>ISP 1 = Active for outbound traffic during normal operations.</P><P>ISP 2 = Inactive</P><P>1 Client IP on the internet network to have its traffic routed out via ISP 2</P><P>&nbsp;</P><P>Basically the IP phone system needs to use ISP 2 all the time, but we need all other client to use ISP1 unless ISP is down.</P><P>&nbsp;</P><P>Hope this makes sense.</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 16 May 2022 15:27:55 GMT https://live.paloaltonetworks.com/t5/general-topics/daul-isp-and-specific-isp-routing/m-p/487480#M104720 Mort2k 2022-05-16T15:27:55Z https://live.paloaltonetworks.com/t5/general-topics/daul-isp-and-specific-isp-routing/m-p/487527#M104724 <P>Hey <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/219890">@Mort2k</a> ,</P> <P>Probably couple of ways to achieve what you want, but here is what I will do if I were you:</P> <P>- Create to separate virtual-routers (VRs), one for each ISP</P> <P>- Create default route for each VR to respective ISP with enabled path monitor for each route</P> <P>- If possible directly connect the IP phone VLAN to the firewall and assign it to the second VR, so both ISP2 and IP phone VLAN to be in the same VR.</P> <P>- Create source NAT rules to translate IP phones traffic to public IP from ISP2 and all other traffic with public IP from ISP1</P> <P>-------</P> <P>At this point you should have internet access for IP phone system from ISP2 and internet access for all other systems over ISP1</P> <P>&nbsp;</P> <P>- Create second default route for each VR pointing to "next-vr" with metric higher than the primary default route</P> <P>- Create NAT rules for IP phone system to translate source with address from ISP1 and all other systems with address from ISP2</P> <P>(Note: if you use same security zone for both ISPs, you should use "destination interface" in addition to destination zone, when defining the NAT rules. If you use different zone, you don't have to define dest interface)</P> <P>----</P> <P>Above should allow you to automatically failover any service to backup ISP provider if there are any issues with primary ISP (path monitor will disable the preferable route to ISP and FW will use the next-vr and use the ISP from the other VR as backup internet access.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 16 May 2022 19:22:44 GMT https://live.paloaltonetworks.com/t5/general-topics/daul-isp-and-specific-isp-routing/m-p/487527#M104724 aleksandar.astardzhiev 2022-05-16T19:22:44Z