https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-as-backup-link-of-mpls-connection/m-p/5694#M4165 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I think you should use PBF for this since only by using PBF you can achieve automatic failover. Unless you have a dynamic routing protocol running in your MPLS networks, there is no way that the firewall knows that the route to your MPLS cloud was down.</P></BODY></HTML> Wed, 27 Nov 2013 10:56:30 GMT Retired Member 2013-11-27T10:56:30Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-as-backup-link-of-mpls-connection/m-p/5693#M4164 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>we have MPLS link between two sites. Right now I want to setup backup link with IPSec tunnel. schema of network connection is as on picture.</P><P>please help me to configure Palo Alto device to monitor MPLS link and switch to IPSec tunnel when MPLS link will be down.</P><P>Switch on right site has IPSLA ready that check connection to MPLS router and change routing automatically to PA. </P><P>Palo Alto has two routing record for the same sub net with different metric and adm distance but it don't swap to IPSec automatically. Please tell me how I should configure PA to support this scenario without my interaction ?</P><P>What should I use PBF, redistribution profiles under VR - static, add one VR more, Monitor tunnel?&nbsp; </P><P></P><P><IMG alt="Visio-pa_mpls_Ipsec.jpg" class="jive-image-thumbnail jive-image" height="384" src="https://live.paloaltonetworks.com/legacyfs/online/5700_Visio-pa_mpls_Ipsec.jpg" width="544" /></P><P>Thank you for advice!</P></BODY></HTML> Fri, 22 Feb 2013 11:42:54 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-as-backup-link-of-mpls-connection/m-p/5693#M4164 jakub_gniazdowski 2013-02-22T11:42:54Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-as-backup-link-of-mpls-connection/m-p/5694#M4165 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I think you should use PBF for this since only by using PBF you can achieve automatic failover. Unless you have a dynamic routing protocol running in your MPLS networks, there is no way that the firewall knows that the route to your MPLS cloud was down.</P></BODY></HTML> Wed, 27 Nov 2013 10:56:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-as-backup-link-of-mpls-connection/m-p/5694#M4165 Retired Member 2013-11-27T10:56:30Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-as-backup-link-of-mpls-connection/m-p/5695#M4166 <HTML><HEAD></HEAD><BODY><P>Hello Jakub,</P><P></P><P>Yes we will have to use PBF to have auto failover if the primary link is failed.</P><P>In PBF rule we set the primary link ( in your case it is MPLS path ). PBF rules are given priority over default routes and security rules. If the PBF fails then it would take the default static route to the tunnel for backup path.</P><P>Below are some doc suggestions to understand and customize your implementation.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4500">How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover</A></P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1357">Dual ISP Branch Office Configuration</A></P><P></P><P>Thanks</P></BODY></HTML> Wed, 27 Nov 2013 12:41:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-as-backup-link-of-mpls-connection/m-p/5695#M4166 Phoenix 2013-11-27T12:41:23Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-as-backup-link-of-mpls-connection/m-p/5696#M4167 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Fully agree with Phoenix. Just be sure that the juniper on remote site be able to send traffic in VPN too (in case of vpn failure) alse ... it will fail <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Hope help.</P><P></P><P>v.</P></BODY></HTML> Wed, 27 Nov 2013 19:01:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-as-backup-link-of-mpls-connection/m-p/5696#M4167 VinceM 2013-11-27T19:01:02Z