https://live.paloaltonetworks.com/t5/general-topics/internet-load-balancing/m-p/34311#M25166 <HTML><HEAD></HEAD><BODY><P>Many Thanks brother Mikand for your reply.</P><P>my concern we have 5 connections in these connections we have 2 dedicated internet links with 25m and we need to configure the 5 untrust zones and use PBF to add rules like IT group will forward to dedicated link number 1 which has 25mb and configure another rule for IT group to use dedicated link No. 2 in case first one goes down. and another AD groups we will decide to which link they can leave using PBF.</P><P>LAN ------------ PA -----------------untrust-1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -----------------untrust-2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -----------------untrust-3</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ----------------untrust-4</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -----------------untrust-5</P><P>for this scenario we supose to use 6 interfaces one as trust (LAN) and 5 untrust (Internet zones).</P><P>for this scenario could you please inform me what is the best practice?</P><P></P><P></P><P></P><H5 class="simple"></H5><H5 class="simple"></H5></BODY></HTML> Thu, 04 Apr 2013 14:38:10 GMT AymanShimy 2013-04-04T14:38:10Z https://live.paloaltonetworks.com/t5/general-topics/internet-load-balancing/m-p/34309#M25164 <HTML><HEAD></HEAD><BODY><P>Hi i have 5 internet connections (two dedicated links with different ISPs and 3 shared links with one ISP) , I need to configure the 5 untrust zones for internet and one for trust how i can configure the VR and how i can i use PBF per group of users. and create a backup link in case the first internet link goes down.</P><P></P><P>Regards,</P></BODY></HTML> Wed, 03 Apr 2013 16:59:46 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-load-balancing/m-p/34309#M25164 AymanShimy 2013-04-03T16:59:46Z https://live.paloaltonetworks.com/t5/general-topics/internet-load-balancing/m-p/34310#M25165 <HTML><HEAD></HEAD><BODY><P>PA currently doesnt support ECMP according to:</P><P></P><P><A _jive_internal="true" class="active_link" href="https://live.paloaltonetworks.com/message/18957#18957" title="https://live.paloaltonetworks.com/message/18957#18957">https://live.paloaltonetworks.com/message/18957#18957</A></P><P></P><P><A __default_attr="23879" __jive_macro_name="message" class="jive_macro jive_macro_message" href="https://live.paloaltonetworks.com/"></A></P><P></P><P>which gives that if you wish to use all your 5 internet connections at once I would suggest you to use a router in front of your PA to do the routing and from that router use a single linknet which you then route the /24 or whatever you have assigned towards the PA unit.</P><P></P><P>This way the PA unit wont have to care about which connection was/is being used - for redundancy you can setup aggregated interfaces.</P><P></P><P>The result would be:</P><P></P><P>1) Internet (5 x connections)</P><P>|</P><P>2) Router (BGP preferly, but static would work aswell towards your ISPs)</P><P>[10.0.0.6/29]</P><P>|</P><P>[10.0.0.1/29]</P><P>3) PA</P><P></P><P>Your router would have a routing table similar to (regarding PA):</P><P>x.x.x.x/24 next 10.0.0.1</P><P></P><P>while your PA device would have:</P><P>0.0.0.0/0 next 10.0.0.6</P><P></P><P>Edit: Ahem *coughs*, highest usuable ip in the range 10.0.0.0/29 is 10.0.0.6 and not 10.0.0.7 which is the broadcast but I think you already got the point <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P></BODY></HTML> Wed, 03 Apr 2013 19:53:29 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-load-balancing/m-p/34310#M25165 mikand 2013-04-03T19:53:29Z https://live.paloaltonetworks.com/t5/general-topics/internet-load-balancing/m-p/34311#M25166 <HTML><HEAD></HEAD><BODY><P>Many Thanks brother Mikand for your reply.</P><P>my concern we have 5 connections in these connections we have 2 dedicated internet links with 25m and we need to configure the 5 untrust zones and use PBF to add rules like IT group will forward to dedicated link number 1 which has 25mb and configure another rule for IT group to use dedicated link No. 2 in case first one goes down. and another AD groups we will decide to which link they can leave using PBF.</P><P>LAN ------------ PA -----------------untrust-1</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -----------------untrust-2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -----------------untrust-3</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ----------------untrust-4</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -----------------untrust-5</P><P>for this scenario we supose to use 6 interfaces one as trust (LAN) and 5 untrust (Internet zones).</P><P>for this scenario could you please inform me what is the best practice?</P><P></P><P></P><P></P><H5 class="simple"></H5><H5 class="simple"></H5></BODY></HTML> Thu, 04 Apr 2013 14:38:10 GMT https://live.paloaltonetworks.com/t5/general-topics/internet-load-balancing/m-p/34311#M25166 AymanShimy 2013-04-04T14:38:10Z