topic Re: PAN Dual ISP Failver Best Practices in General Topics

PAN Dual ISP Failver Best Practices

SDorsey — Sat, 09 Aug 2014 17:49:13 GMT

I have setup dozens of PANs with multiple ISPs and failover but have some questions in regards to best practices..

1. Is PBF the only way to handle failover? If not, can the same be achieved via HA Link/path monitoring or is that specifically for device/firewall failover?

2. This is mostly in regards to what is processed first in the firewall. If you setup two ISPs, are there any issues with putting them in the same zone so you can manage them as a single zone from a security perspective? My question mostly revolves around NAT. If you have two NAT policies which match Internal to External but the policies have two different source NAT IPs.. will the firewall look at the PBF table, see which interface it is going to go out of, then apply the appropriate NAT policy? Or do you have to put the ISPs in separate zones?

Re: PAN Dual ISP Failver Best Practices

SDorsey — Sat, 09 Aug 2014 18:43:24 GMT

Well nevermind on question two. I tested it and no for sure you can NAT just fine with all ISPs being on same zone.

Re: PAN Dual ISP Failver Best Practices

SDorsey — Sat, 09 Aug 2014 20:45:13 GMT

Is it possible that if you have say dual ISPs and you are hosting a publicly accessible web server.. that it be accessible on the public IP of either ISP at any given time?

The current setups have it where it is only accessible on the active ISP line due to the PBF rules.

Re: PAN Dual ISP Failver Best Practices

HULK — Mon, 11 Aug 2014 04:49:47 GMT

If you want to access publicly hosted web-server through both Public IP addresses, how your DNS server will resolve one URL into 2 different IPs..?

Thanks

Re: PAN Dual ISP Failver Best Practices

SDorsey — Mon, 11 Aug 2014 12:26:00 GMT

Yeah I understand DNS can only have a single A record mapping to an IP at a time. I'm not sure I have a practical use-case scenario for what I'm asking.. just curious if it is possible from a routing perspective in the PAN.

Re: PAN Dual ISP Failver Best Practices

CafNetMatt — Mon, 11 Aug 2014 23:56:08 GMT

I had a client that had a similar requirement. They have 2 ISPs with NAT separate for each. They had a couple of DNATs and wanted to use Global Protect as well. The fun part was that they wanted failover setup but they wanted both WAN links available at the same time. The plan was to manually change DNS when there was a failure but once it was back online they didn't have to make the DNS change right away. So DNATs & GP would always operate.

What I had to do was to put both WAN interfaces into separate VRs. Since I was doing failover as well, I also had to setup PBF. It was the only way I could keep routing synchronous. When I tried to create PBFs to do it they just wouldn't honor the rule and if traffic came in on 1 WAN link while the failover PBF was in place routing became circular. I also had to setup routing across VRs to make traffic flow properly and ran into performance issues.

Re: PAN Dual ISP Failver Best Practices

SDorsey — Tue, 12 Aug 2014 00:50:56 GMT

When you did that, did you put the ISPs in the same or separate zones?

Re: PAN Dual ISP Failver Best Practices

CafNetMatt — Tue, 12 Aug 2014 00:55:37 GMT

The ISPs were put into the same zone. That was about the only nice thing about it. It made applying security policies easier.

Re: PAN Dual ISP Failver Best Practices

SDorsey — Tue, 12 Aug 2014 01:04:18 GMT

I agree. This is my first implementation with putting both ISPs in the same zone. I seemed to be having mixed results.. specifically with bi-drectional NAT policies. Traffic doesn't seem to match on them correctly. If I however change it from a bi-directional policy to two separate NAT policies (one to NAT in and one to NAT out) for a given server and both public IPs, it starts matching correctly.

Re: PAN Dual ISP Failver Best Practices

SDorsey — Tue, 12 Aug 2014 02:16:34 GMT

Jay kay. The nat policies were fine. I thought they were broken because email flow was not working. Turns out, the new fiber ISP in the area blocks all inbound/outbound port 25 by default. Wonderful times.

Re: PAN Dual ISP Failver Best Practices

CafNetMatt — Tue, 12 Aug 2014 04:46:58 GMT

Sounds like you answered your own question but here's what I did.

I only have DNATs & SNATs. The DNATs were port translations mainly because 1 was legacy and the other I only had the interface IP to work with.

The performance issues I never had a chance to troubleshoot. The migration was a rush job and I was fitting into several already scheduled projects. By the time I had the time to troubleshoot, the client had work with PAN support to solve the issue. From what I understand, they spent a long time and several calls to figure it out but I never heard what the solution was.

I have to LOL on the port 25. I didn't know anyone still blocked 25 anymore on a business class internet connection. Even if it's just a cable modem connection. 🙂

Although, on this particular job, they had a 100Mb cable modem connection and the provider was still tying the connection to the first MAC address it saw. That was fun.

Re: PAN Dual ISP Failver Best Practices

SDorsey — Tue, 12 Aug 2014 13:56:33 GMT

Yeah we can alll LOL at the smtp issue after the fact.

And it's not even like this was some lowly business class DSL service. It's enterprise grade fiber. (50 down/up).

In our area, we have a cable modem provider that still ties the connection to the first MAC address. When I switch them to a new firewall and tell them they have to reboot the modem.. I feel barbaric. 🙂