topic Re: NAT public IP to two private IP as failover in General Topics

NAT public IP to two private IP as failover

mikealanni — Wed, 14 Sep 2016 20:56:17 GMT

Is there a way in Palo alto firewall to do that? is some one already using it?

Example

x.x.x.x (public) ------ Palo Alto (NAT) ----------------172.16.5.5 (primary)

172.16.5.6 (backup)

Mike.

Re: NAT public IP to two private IP as failover

OtakarKlier — Wed, 14 Sep 2016 22:11:56 GMT

Hello,

Should like a load balancer would work better. But thinking about it, I wonder if Policy Based Forwarding with a Monitor would work. While I have not tried it in this fashion, I have used it for a multiple ISP failover scenario.

Perhaps someone else has tried it?

Regards,

Re: NAT public IP to two private IP as failover

TranceforLife — Wed, 14 Sep 2016 23:07:48 GMT

I was thinking about PBF option as well but as you stated it is actually for vice versa option as you can only specify one default gateway for the client in the "trust" zone. Just thinking how the client is going to change a DG if one link is failing. No VRRP option available or possible here 🙂 One device so not much what we can do. Thinking about this:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-LACP/ta-p/65837

But l am not very familiar with this protocol and if it works in Layer 3 with one IP, so cannot comment much

Re: NAT public IP to two private IP as failover

VinceM — Thu, 15 Sep 2016 08:53:16 GMT

Hi all,

Depend what you are looking for:

- Use Policy Based Routing: Activ/Passiv or Activ/Activ - and you choose which traffic on which link

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/policy/create-a-policy-based-forwarding-rule

- Use Link Layer Distribution Protocol - act like load balancing by defining two route with same weight

https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/networking-features/lldp

Hope hep

Re: NAT public IP to two private IP as failover

reaper — Thu, 15 Sep 2016 11:54:30 GMT

you don't need to set a default gateway for the internal subnets, a simple subnet route will suffice: Policy Based Forwarding bypasses route lookups when it is active for a session

from the perspective of the pbf configuration the public side can be treated as the local network and the 2 routes as the dual-isp

-set a pbf with monitor pointed at the primary link

-set a normal route to the secondary link

Re: NAT public IP to two private IP as failover

mikealanni — Thu, 15 Sep 2016 18:04:49 GMT

just confused, do I create two NAT rules from trust to untrust as bidirectional and then apply pbf for a connected subnet?

I'm using lvl3 interfaces

Re: NAT public IP to two private IP as failover

reaper — Fri, 16 Sep 2016 21:07:23 GMT

since NAT rules are zone based, you can et the external zone to zone1 and the 2 internal interfaces to zone2, that way your NAT rule will always apply, regardless of the internal interface in use

then have pbf route traffic to the primary link if the monitor is up, and a static route be backup for the secondary link if the pbf monitor fails

- During the failover from the primary interface to the backup, existing sessions will fail out due to them being bound to the interfaces, but the new sessions will simply pick up as expected, using the same NAT rule