topic Re: Palo Alto With TWO ISPs in General Topics

Palo Alto With TWO ISPs

ParvezAhmad — Sat, 04 Jan 2014 19:51:31 GMT

Hello,

We have migrated firewall from ASA firewall to Palo Alto firewall. In my case, we have below interfaces in Palo Alto firewall.

1. ISP1 Interface (E1/1)

2 ISP2 Interface (E1/2)

3. DMZ Interface (E1/3)

4. Inside Interface (E1/4)

Since we are using ISP1 for accessing DMZ servers from internet and we are using ISP2 for web traffic of users from inside zone. We are using PBF (Policy Based Forwarding) for redirecting web-traffic to ISP2.

As all the http and https traffic is diverted to ISP2 the users(Inside Zone) are not able to access the servers those are in DMZ Zone.

Please suggest how we can solve this problem.

Regards,

Parvez

Re: Palo Alto With TWO ISPs

Retired Member — Sat, 04 Jan 2014 20:48:07 GMT

can you share your pbf rule ?

Re: Palo Alto With TWO ISPs

Retired Member — Sat, 04 Jan 2014 22:16:40 GMT

if you need to seperate connections you may configure 2 virtual routers (not mandatory)

1- Make your LAN and WAN2(ISP2) use default VR

2- Make your DMZ and WAN1(ISP1) use second VR2

3- Add default Gateways for VR1 and VR2 (for each one 0.0.0.0/0 route)

4-Configure NAT rules for LAN and DMZ

5- Add a route for each VR for the other network.(for default VR add a route as destination "subnet DMZ", Next VR, VR2) (for VR2 add a route as destination "subnet LAN", Next VR, default VR)

Re: Palo Alto With TWO ISPs

skrall — Sun, 05 Jan 2014 02:15:21 GMT

Without seeing a topology this is going to be difficult to diagnose. Are your DMZ servers tied to public IP addresses allocated by isp1 or isp2?

Normally dual ISP is a simple config.

ISP 1 is your primary link so the PBF points to this ISP as the next hop and you monitor this next hop.

ISP 2 is the secondary so the default route in the routing table points here.

Once you have this working you can try getting fancy. But keep in mind that NAT plays a big role here. If people are connecting to the x.x.x.x address to access your servers, you can not send the response packets out the other link with a source NAT of z.z.z.z.

Use ping tosee where the packets are going.

show session all filter source <IP_DMZ_Serv_inside>

then

Show session id xxxxx

The output should show you what interface is being used, what NAT rule is used, what sec policy is used.

This should give you good insight as to what is going wrong.

SKrall

Re: Palo Alto With TWO ISPs

ParvezAhmad — Sun, 05 Jan 2014 12:02:20 GMT

Would you please explain your point 5 in more details? Thank you.

Re: Palo Alto With TWO ISPs

Retired Member — Sun, 05 Jan 2014 12:08:10 GMT

if your lan is 192.168.0.0/24(default VR)

dmz is 172.16.0.0/24(VR2)

for default VR which uses LAN you should add a route destination ip 172.16.0.0/24 next hope will be next VR(vr2)

for VR2 which uses DMZ you should add a route destination ip 192.168.0.0/24 next hope will be next vr default VR

Re: Palo Alto With TWO ISPs

Retired Member — Sun, 05 Jan 2014 12:10:56 GMT

also you don't need pbf rules with that config.

your nat to outside and security rules will be

lan to wan2

dmz to wan1

Re: Palo Alto With TWO ISPs

ParvezAhmad — Thu, 23 Jan 2014 12:44:32 GMT

Thanks panos. It is working fine.