topic Re: How to configure PaloAlto to Fail-over to another ISP on a remote location in General Topics

How to configure PaloAlto to Fail-over to another ISP on a remote location

ErwinBuena — Mon, 14 Jul 2014 05:41:36 GMT

I'm new in using PaloAlto Firewall. We have to sites that have it's own dedicated ISP connections and I've been task to configure the PAN firewall to route the Internet connections to another ISP if the main internet connections encounter a connectivity problem.

HQ1 RT1-------PAN FW--------Internet RTR------------------ISP1

| -> Connections between HQ1 and HQ2 is via internal MPLS and they're on different location

HQ2 RT2-------PAN FW--------Internet RTR------------------ISP2

Is it possible to configure VPN Tunnel between the two PA FW and used PBF?

Any feedback are highly appreciated

Cheers,

Erwin

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

kadak — Mon, 14 Jul 2014 13:37:35 GMT

Hello Erwin,

Here is the document that explains how to configure PAN for dual ISP failovers:

Dual ISP Branch Office Configuration

In short, you would:

1. Configure a PBF policy on PAN FW in HQ1, to route Internet traffic via ISP1 and enable monitoring in PBF.

2. Configure an IPSEC tunnel between PAN FW1 and PAN FW2

3. Configure a static route in the routing table of PAN FW in HQ1 to route Internet traffic using tunnel as an exiting interface.

Hope that helps!

Thanks and regards,

Kunal Adak

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

HULK — Mon, 14 Jul 2014 16:56:01 GMT

Hello ErwinBuena,

Few related doc as mentioned below, it may help you ( configuration steps) in this scenario.

Configuring Policy Based Forwarding (PBF)

Setup

How to Configure Dual ISP Network with GlobalProtect VPN using 1 Virtual Router and Policy Based Forwarding

Thanks

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

pulukas — Mon, 14 Jul 2014 21:31:01 GMT

If I understand correctly, you want to use ISP1 from HQ2 if ISP2 fails. And use ISP2 from HQ1 if ISP1 fails.

If that is correct, then you do not need vpn in the mix at all.

You would follow the Dual ISP branch instructions on both PA.

The PBF primary is your local ISP.
The new lower priority default route would be your MPLS router.
You would also need to check your internet nat rule at both sites:
PA at HQ1 would need a nat rule to the internet covering HQ2 private addresses
PA at HQ2 would need a nat rule to the internet covering HQ1 private addresses

Dual ISP Branch Office Configuration

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

ErwinBuena — Mon, 14 Jul 2014 23:37:03 GMT

Hi Steven

Configuration would be more complicated if I do the fail over functionality on HQ RTR that will look like this.

For each sites (HQ1/2 RTR) it has a default static route towards PAN Internet Firewall. Using PBF to revert the default static on PAN and back to HQ RTR would be an issue. Do you have any recommendation to address this issue?
Other solution that I'm thinking is to use IP SLA on HQ Router to track Internet Edge connections and then let the routes dynamically learned the routes since those default static routes has been re-distributed to MPLS routing table to fail-over to another ISP. I'm hesitant to this since it will require more work as compared to building up VPN tunnel between the two PAN router.
In terms of the NAT rules, it covers the private IP address for each sites. Each sites has it's own public IP address for NAT translation for each of the system for inbound traffic

Thanks to Kadak and Hulk for your update as well.

Cheers,

Erwin

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

pulukas — Tue, 15 Jul 2014 01:38:26 GMT

I see the issue where the dualing default routes would cause in my original scenario.

In a vpn between the PA the following would occur. This may not be any simpler than your MPLS fail-over solution.

The vpn would build on the internal interfaces since the ISP for one side is down.
The ingress of traffic will be on the same interface as the vpn gateway. I don't know if that will work or not. Typically we see ingress on one interface and gateway on another. This would need to be lab tested.
The PA default route for the down ISP goes into the tunnel
This could potentially still use the technique previously mentioned with PBR and a default route to the tunnel interface.
On the PA with good ISP - return traffic to the other site needs to go into the vpn instead of the MPLS or the tunnel will be asymmetrical and fail
This gets trickier to work out. The current MPLS path will be available when this occurs and must be available to build the tunnel. So we cannot use the PBR method to switch.
Another option might be to nat the outbound source when sending into the tunnel so the tunnel traffic has a unique return address not routed on the MPLS. You would then just need one for each side.
NAT for internet access
Once the traffic travels the tunnel from dead site to live site. You will need a nat rule on the live site to public nat the traffic from the tunnel going out to the internet as these source addresses won't be covered in the current configuration.

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

ErwinBuena — Tue, 15 Jul 2014 02:18:15 GMT

Hi Steven,

See my update below

The vpn would build on the internal interfaces since the ISP for one side is down.
- You’re correct, I’m planning to build the tunnel via the Internal Interface on PAN Firewall
The PA default route for the down ISP goes into the tunnel
- I’m planning to used PBF together with the built-in monitor to track the site ISP connections and once it is down, default route will be routed to VPN Tunnel. Do I need to create two PBF for this scenario?
On the PA with good ISP - return traffic to the other site needs to go into the vpn instead of the MPLS or the tunnel will be asymmetrical and fail
- If I enable “Enforce Symmetric Return in PFB Rule? Does it reduce the complexity that you mention?
NAT for internet access
- Yes, I’ll do dynamic NAT translation for all traffic coming out of the VPN tunnel. Possible issue that I’m anticipating are the NAT translation for the public IP’s owned by ISP that having an issue. Any thoughts on this?

It’s looks like it’s getting complicated than the original plan that I thought. Do you think it make since to do it this way or I need to look at another solutions.

Your feedback are highly appreciated and help me a lot to think out of the box for the solution that I’m planning.

Cheers,

Erwin

Re: How to configure PaloAlto to Fail-over to another ISP on a remote location

pulukas — Tue, 15 Jul 2014 02:45:55 GMT

More thoughts:

The vpn would build on the internal interfaces since the ISP for one side is down.
- You’re correct, I’m planning to build the tunnel via the Internal Interface on PAN Firewall
The PA default route for the down ISP goes into the tunnel
- I’m planning to used PBF together with the built-in monitor to track the site ISP connections and once it is down, default route will be routed to VPN Tunnel. Do I need to create two PBF for this scenario?
There is only one PBF and one default route in this scenario on each device. this is what is outlined in the tech note.
Dual ISP Branch Office Configuration
On the PA with good ISP - return traffic to the other site needs to go into the vpn instead of the MPLS or the tunnel will be asymmetrical and fail
- If I enable “Enforce Symmetric Return in PFB Rule? Does it reduce the complexity that you mention?
The use of PBF is really not an option here due to the way the process works. Instead I think you would nat the tunnel traffic providing a unique route on each site just for tunnel usage. See this tech note.
Configuring route based IPSec with overlapping networks

NAT for internet access
- Yes, I’ll do dynamic NAT translation for all traffic coming out of the VPN tunnel. Possible issue that I’m anticipating are the NAT translation for the public IP’s owned by ISP that having an issue. Any thoughts on this?
I don't see how you can use the down ISP space as this will not return to the up ISP location. You will have to allocate and use nat space on the working ISP for this purpose.

This could potentially work. With the issue I mentioned on point 1 previously needing to be tested.

Whether this is easier than the MPLS routing solution I'm not in a position to judge. Both seem invovled.