https://live.paloaltonetworks.com/t5/general-topics/ecmp-interface-zone-and-security-policy-question/m-p/576572#M115709 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1308488747">@Songphon-Gzy</a>&nbsp;</P> <P>if you're looking for the tunnel failover, you can use monitoring profile to failover traffic to the backup tunnel interface.</P> <P>There are two ways to configure it -</P> <P>1. Use of monitor profile and attach it to IPSEC tunnel</P> <P>2. Use of monitoring on static routes. In this case, you will have two routes to same tunnel destinations with different metric. Primary route will have monitoring enabled. If monitor fails, primary route will be removed from forwarding table and secondary route will be used.</P> <P>&nbsp;</P> <P>In both cases, you need to monitor the one of the server for ICMP requests. If response to that server fails, monitoring will be down, and required actions will be in place.</P> <P>&nbsp;</P> <P>Below reference articles will give you more idea about this.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO" target="_blank">Dual ISP VPN site to site Tunnel Failover with Static Route Pat... - Knowledge Base - Palo Alto Networks</A></P> <P><A href="https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-tunnel-monitoring/define-a-tunnel-monitoring-profile" target="_blank">Define a Tunnel Monitoring Profile (paloaltonetworks.com)</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK" target="_blank">How to Configure a Palo Alto Networks Firewall with Dual ISPs a... - Knowledge Base - Palo Alto Networks</A></P> <P>&nbsp;</P> <P>Hope it helps!</P> Thu, 08 Feb 2024 07:34:38 GMT SutareMayur 2024-02-08T07:34:38Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-interface-zone-and-security-policy-question/m-p/576570#M115708 <P>Hi guys</P> <P>I am quite new to Palo Alto NGFW. We have on-prem PA-32xx on 11.0.3.</P> <P>I am having trouble with static route ECMP for redundant IPSEC tunnels to AWS.</P> <P>Previous guy configure both tunnel in different zone (lets say AWS1 zone and AWS2 zone) and then configure bunch of PBFs.</P> <P>Then when the return path is changed, traffic will get dropped and I need to change PBF to another tunnel instead.</P> <P><STRONG>Are there anyway to made ECMP work with security policy? (or how to make both tunnels work in this scenario without manual with PBF)<BR /></STRONG></P> <P>I am thinking of putting 2 tunnel interfaces into same zone. I don't know if that is enough or another configure is needed.</P> <P>I try to search for guide but so far mostly talking about networking aspect, not the policy and zone stuff.</P> Thu, 08 Feb 2024 07:07:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-interface-zone-and-security-policy-question/m-p/576570#M115708 Songphon-Gzy 2024-02-08T07:07:41Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-interface-zone-and-security-policy-question/m-p/576572#M115709 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1308488747">@Songphon-Gzy</a>&nbsp;</P> <P>if you're looking for the tunnel failover, you can use monitoring profile to failover traffic to the backup tunnel interface.</P> <P>There are two ways to configure it -</P> <P>1. Use of monitor profile and attach it to IPSEC tunnel</P> <P>2. Use of monitoring on static routes. In this case, you will have two routes to same tunnel destinations with different metric. Primary route will have monitoring enabled. If monitor fails, primary route will be removed from forwarding table and secondary route will be used.</P> <P>&nbsp;</P> <P>In both cases, you need to monitor the one of the server for ICMP requests. If response to that server fails, monitoring will be down, and required actions will be in place.</P> <P>&nbsp;</P> <P>Below reference articles will give you more idea about this.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO0CAO" target="_blank">Dual ISP VPN site to site Tunnel Failover with Static Route Pat... - Knowledge Base - Palo Alto Networks</A></P> <P><A href="https://docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/set-up-tunnel-monitoring/define-a-tunnel-monitoring-profile" target="_blank">Define a Tunnel Monitoring Profile (paloaltonetworks.com)</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK" target="_blank">How to Configure a Palo Alto Networks Firewall with Dual ISPs a... - Knowledge Base - Palo Alto Networks</A></P> <P>&nbsp;</P> <P>Hope it helps!</P> Thu, 08 Feb 2024 07:34:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-interface-zone-and-security-policy-question/m-p/576572#M115709 SutareMayur 2024-02-08T07:34:38Z https://live.paloaltonetworks.com/t5/general-topics/ecmp-interface-zone-and-security-policy-question/m-p/576691#M115738 <P>Hello,</P> <P>For your policy based routing, make sure the Monitor is enabled as well as Enforce Symmetric return. The for the secondary tunnel, just add a static route in the virtual router. The Policy base forward rules take effect prior to the virtual router so the policy when enabled will always be preferred. If it goes down due to the monitor, the PAN will disable the policy and the static route takes over.</P> <P>Regards,</P> Thu, 08 Feb 2024 21:12:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ecmp-interface-zone-and-security-policy-question/m-p/576691#M115738 OtakarKlier 2024-02-08T21:12:53Z