topic Re: Two Default gateways with different priority in General Topics

Two Default gateways with different priority

irshad.n — Fri, 31 Mar 2017 10:11:14 GMT

Hi Guys,

We have two isp links (ISP1 AND ISP2). We have defined to default gateways and set the ISP1 less priority so that all internal traffic will take ISP1.

for example

0.0.0.0/0 ethernet 1/1 next hop 76.45.146.22 admindistance 10 metric 1
0.0.0.0/0 ethernet 1/2 next hop 89.54.54.56 admindistance 10 metric 2

In this scenario. We have published SMTP via ISP1 AND our web server via ISP2.

My query is, when some one from internet access the web server it will go through via ISP2, get natted to public ip of the web server and will reach the server LOCAL which is in the DMZ. But... when the local server responds to the request, would it take ISP1 or ISP2?

Re: Two Default gateways with different priority

reaper — Fri, 31 Mar 2017 11:34:21 GMT

thanks for your comment! I'll move this topic over to the general discussion area as it was posted in the feedback board

Re: Two Default gateways with different priority

BPry — Fri, 31 Mar 2017 13:03:43 GMT

This sounds like it would make a really good example for Policy Based Forwarding. Since your highest priority route for all traffic is ethernet1/1 the return traffic would attempt to take that route; however with a PBF policy configured you could actually specify that HTTP/HTTPS traffic from your webserver actually needs to Egress from ethernet1/2 next hop 89.54.54.56 and this would actually superseed the metric in your routing table.

Re: Two Default gateways with different priority

santonic — Fri, 31 Mar 2017 13:08:30 GMT

Yeah, PBF is the way to go. There you also have an option 'enforce symmetric return'. That way your server is visible on both ISPs all the time.

Re: Two Default gateways with different priority

irshad.n — Sat, 01 Apr 2017 20:47:29 GMT

Thanks you.

I tried PBF with simetric routing. and it worked. i was having several discussion with palo alto engineers. because. currently we are migrating fortigate firewall to palo alto firewall. in Fortigate firewall the return traffic is taking the same path as it arrived even without PBF. As far as i understood firewall will notedown the ingress and egress interface in its session table. with that asumption and despite the face that fortigate does not have any PBF. we configured same configuration as the fortigate and failed the migration.

We learned in hard way...

Thanks for all for your comments.

Re: Two Default gateways with different priority

m.habib424169 — Mon, 09 Sep 2024 09:05:28 GMT

Secondary ISP not able to ping form external

I have two ISPs connected to my Palo Alto firewall:

1. ISP1 is in the ISP1 zone, with a default route metric value of 10.
2. ISP2 is in the ISP2 zone, with a default route metric value of 15.
3. Both ISPs are in the same virtual router.
I am facing an issue where I am unable to ping ISP2 from an external network.

The only time I am able to ping ISP2 from my home (public IP) is when I configure a static route on the Palo Alto firewall in the virtual router, pointing to the ISP2 interface.

Here are the configurations I have made on my Palo Alto firewall:

Security Policy: ISP2 to ISP2 — Allow all (any to any)
PBF (Policy-Based Forwarding): Configured with the following:
Source: ISP2, Source Address: any
Destination: any
Forwarding to ISP2 interface with Enforce Symmetric Return enabled
NAT Policy:
Source: ISP2, Destination: ISP2
Destination Interface: ISP2 interface
Source and Destination: any
Translated to Dynamic IP and Port, pointing to ISP2 interface

Could someone please assist me in resolving the issue?