topic Dual ISP Global Protect Redundancy in General Topics

Dual ISP Global Protect Redundancy

DonohoeRobert — Wed, 16 Nov 2016 21:48:16 GMT

Hi Team,

I hope ye all are well. We recently worked a case for a customer that had dual ISP configuration and wanted the Palo Alto Networks device to provide redundancy for the Global Protect Portal and Gateways in the event one ISP went down. We came up with a handy way of providing this using NAT rules and a loopback and I am posting this to share with the community.

There are some screenshots from the lab below. Eth1/1 & Eth1/2 represent ISP-A and ISP-B.

We popped the Global Protect Portal and Gateway on a loopback interface.

We created two NAT rules to bounce the incoming traffic whether its from ISP-A or ISP-B to the loopback address.

The system has two Virtual Routers for both ISP's. VR-A and VR-B. VR-A has the loopback interface added.

Virtual Router B has a static route to VR-A which has a route to the loopback interface with the Portal and Gateway.

This simple setup allows access to the portal and gateway from either ISP interfaces. We simulated one ISP failing and changed the A record of the portal fqdn to resolve to the other interface and the users could connect without any input or changes from the end user. There are a number of ways to automate dns integrity and failover to resolve to a different ip address if it can't resolve to another. Beyond the scope of Palo Alto. Infoblox and Route 53 can provide these features. If you just have MS server , changing the A record from one IP to another isn't a massive task.

Hope this helps few others and is nice way to provide extra layer of redundancy for networks to big to fail.

Best regards,

Robert D

Re: Dual ISP Global Protect Redundancy

gdo3 — Mon, 25 Jun 2018 21:18:16 GMT

Great article @DonohoeRobert. Thank you for sharing this solution! Question: Even though the Portal and Gateway configurations point to the loopback interface and the loopback interface is assigned to the Global-Protect security zone, in Tunnel Settings in Agent in Gateway configuration, did you still have to configure a tunnel interface and choose it in here? Or did you leave 'Tunnel Mode' unchecked?

Re: Dual ISP Global Protect Redundancy

DonohoeRobert — Mon, 25 Jun 2018 21:43:38 GMT

Hi Mate,

No worries at all..

Ye need to create a tunnel interface here 100%. Gateway and portal on loopback interface is grand, but would enable tunnel mode as per normal as well.

Let us know how it goes, article a little old but can mock up in the lab again if needed.

best regards

Rob

Re: Dual ISP Global Protect Redundancy

AkashThangavel — Tue, 08 Nov 2022 05:05:46 GMT

Hi DonohoeRobert,

Have you tried Redundancy for this case, you have configured only one default route(0.0.0.0/0) that belongs to Ethernet 1/1.
How will another interface(Ethernet1/2 ) route the traffic if Ethernet1/1 goes down?

regards,

Akash Thangavel

Network Security Engineer