DUAL ISP and PFB with single or multiple Virtual Routers

FreddyC — Tue, 31 May 2022 20:20:27 GMT

Hello Palo Alto Community! I am reaching out because I am stuck and a bit confused about what I've seen online when it comes to configuring dual ISP and PFB (which that part I understand) but when configuring the Virtual Routers section. Some only create a single VR with both ISP and their next hops and others create their ISP each VRs and then there is a return internal network and their next hop is a VR. Here's what I have done so far:

We have two ISPs (Comcast & AT&T) and would like for both of these ISP links to be routing traffic. I have read and reviewed a few Palo Alto-supported documentation & blogs from other sites. I've configured a few things on our firewall but I am not 100% clear on a few configurations that I have done to make sure it will work properly before going live.

Here's what I've done so far:

• Interfaces:
o Eth. 1/1 (native VLAN) and along subinterfaces for LAN
o Eth. 1/10 for AT&T ISP Link
o Eth. 1/12 for Comcast ISP Link

• Zones:
o Created ISP_ATT & assigned Eth 1/9 to it
o Created ISP_Comcast & have not assigned eth 1/12 yet
o Created Trust for LAN networks
o Created Azure-S2S with Tunnel.1 & .2 (for failover)

• Created two virtual routers one for each ISP link:
o Primary-ISP-Comcast (will have ethernet 1/12 assigned)
o Secondary-ISP-ATT
 Eth 1/9 is for AT&T ISP/Link
 Eth 1/10 is for PC connected directly
 Tunnnel.2 for Asure S2S VPN (as a backup route)

o For Statis Routes for Primary-ISP-Comcast, do I create just Comcast’s network with its next-hop IP (which is already created)? And what about the other internal networks? Do I need to create for each internal/LAN network a route to point to the next VR, which in this case is AT&T ISP or Comcast?

o For the static routes for Secondary-ISP-ATT, besides configuring AT&T's next-hop IP address, what else would I need to do?

• Also, for the static route in IPv4, do I need to enable “Path Monitoring”?
• Finally, the PBF, is my understanding is that in the “Forwarding” tab, I need to enter Comcast’s IP address and monitor it as well so that if it fails, all traffic is routed out of the AT&T ISP link, right?

Thank you all!

#dualisp #PFB #virtualrouters #staticRoutes

Re: DUAL ISP and PFB with single or multiple Virtual Routers

reaper — Thu, 09 Jun 2022 09:03:57 GMT

the design depends on what you need

if you simply want to double your bandwidth while providing redundancy, you can simply put everything on one VR and enable ECMP on both ISP links

it gets a little more difficult once you start hosting services or need to set up redundant ipsec tunnels on both ISPs

for hosted internal services you can keep using ECMP but you will need to create PBF rules that enable symmetric return, for fully redundant ipsec tunnels you'll want the multi-VR setup so the VPN traffic is more easily controlled

lastly if you want to control which traffic is sent over each ISP, you can also use single VR with PBF rules sending trqffic to the appropriate ISP

topic DUAL ISP and PFB with single or multiple Virtual Routers in General Topics

DUAL ISP and PFB with single or multiple Virtual Routers

Re: DUAL ISP and PFB with single or multiple Virtual Routers