topic Re: ISP failover in PanOS 7.0.4 in General Topics

ISP failover in PanOS 7.0.4

rufusleonard — Fri, 05 Feb 2016 14:26:43 GMT

Hi,

We are moving from Juniper ScreenOS SSG firewalls to PanOS 7.0.4, 3020 clustered firewalls.

On our Junipers we make use of a feature called track-ip for Interface failover between ISP's...This basically works by pinging a far device on the primary link, and after the PING failure limits being exceeded, the default route changes to that of our secondary ISP link/interface.

I'm not talking about VPN failover here, but default route / link failure/failover.

I asked this of Palo Alto support but got the following response:

"The Path Monitoring feature monitors the full path through the network to mission-critical IP addresses to control failover. ICMP pings are used to verify reachability of the IP address. The default behavior is any one of the IP addresses becoming unreachable will cause the device to change the HA state to non-functional to indicate a failure of a monitored object."

This to me very much looks like a HA state config, and nothing to do with ISP link failover.

Upon speaking to someone else who is Palo accredited, they suggested using PBF, but I really don't like PBF. They then said that PanOS has a new feature called 'ECMP' and we might be able to make use of that?

Can anyone advise of a similar option of the Juniper ScreenOS 'track-ip' on the Palo Alto's?

Will ECMP work?

Is there and alternative, other than PBF?

Thanks,

John

Re: ISP failover in PanOS 7.0.4

Raido_Rattameister — Fri, 05 Feb 2016 15:18:43 GMT

ECMP (at least in current version) can check only if link is up or down.

It does not send out ping to verify so no path monitoring.

PBF can be used in that case.

So if path monitoring can't see destination then firewall will fall back to virtual router where you have configured your secondary ISP.

Re: ISP failover in PanOS 7.0.4

rufusleonard — Fri, 05 Feb 2016 17:03:01 GMT

Thanks foryour swift reply. So when you say link down wity ECMP, I'm assuming that's just the interface reporting as down?

If so, can it be configured to failover to the other link on link/interface failure, and what happens when a clustered 3020 is set-up?

Thanks again,

John

Re: ISP failover in PanOS 7.0.4

OtakarKlier — Fri, 05 Feb 2016 23:25:32 GMT

Hello,

I think what you may be looking for is Policy Based Forwarding with path monitoring.

https://live.paloaltonetworks.com/t5/Configuration-Articles/Dual-ISP-Branch-Office-Configuration/ta-p/59346

Its an older document but still holds validity.

Cheers!