https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7298#M5406 <HTML><HEAD></HEAD><BODY><P>But the issue is you'll have only one destination NAT rule to be matched no matter which server is the active one. That's why I suggest methods in "option 1" to have two routes to the Public IP (via Routing Protocols or PBF) with the goal of having a destination zone change that would allow us to match two different destination NAT rules</P></BODY></HTML> Fri, 19 Sep 2014 04:52:14 GMT xhoms 2014-09-19T04:52:14Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7293#M5401 <HTML><HEAD></HEAD><BODY><P>Hello all,</P><P></P><P>I was wondering if a certain scenario is possible through a Palo Alto PA-3020.&nbsp; Say we have a single ISP with an internal NAT rule pointing to internal server A that is accessible by anyone in the outside world.&nbsp; If server A ever goes down (or we take it offline), the internal NAT rule will failover to another internal NAT rule pointing to server B.&nbsp; These two servers are not load balanced nor are they accessed at the same time by the outside world.&nbsp; The same external IP address will be used to access whichever server is online but again never both at the same time and of course both servers have different internal IP addresses in the same subnet.</P><P></P><P>I'm thinking this would be accomplished with two NAT rules and one or two PBF rules.&nbsp; What I am trying to figure out is how the Palo would know to use the other internal NAT rule if server A goes down.&nbsp; Is something like this possible?</P></BODY></HTML> Thu, 18 Sep 2014 20:13:39 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7293#M5401 ClintL 2014-09-18T20:13:39Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7294#M5402 <HTML><HEAD></HEAD><BODY><P>I only see two options:</P><OL><LI>If you could manage to have the public IP used by the outside world to reach the servers being dynamicaly learned by the PA-3020 using a routing protocol (i.e. RIP) from the servers, then you could put each server in a different security zone and use two destination NAT rules. But I guess the public IP you're using will have to be directly attached to the ISP facing interface, blocking this option.</LI><LI>To implement an external monitor that signals a configuration change using the PANOS Config API when any server becomes unreachable.</LI></OL></BODY></HTML> Thu, 18 Sep 2014 20:31:43 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7294#M5402 xhoms 2014-09-18T20:31:43Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7295#M5403 <HTML><HEAD></HEAD><BODY><P>There is the PBF+PathMonitoring alternative to routing protocols for option 1. But you still need the Public IP not to be directly connected to any PA-3020 interface.</P></BODY></HTML> Thu, 18 Sep 2014 23:28:52 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7295#M5403 xhoms 2014-09-18T23:28:52Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7296#M5404 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/27897">ClintL</A> You can look into clustering service on windows as an option.</P></BODY></HTML> Fri, 19 Sep 2014 00:00:36 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7296#M5404 bat 2014-09-19T00:00:36Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7297#M5405 <HTML><HEAD></HEAD><BODY><P>Hello Clint,</P><P></P><P>I think we can achieve this through a&nbsp; PBF policy. We can configure a PBF policy for Primary Server with a monitor profile, pointing towards Primary servers IP address <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>Since PBF will take precedence over routing)&nbsp; and the backup server will be reachable through normal routing.</P><P></P><P>Once PBF will fail <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>monitor IP not reachable), the traffic will start flowing through routing toward backup server.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 19 Sep 2014 00:10:08 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7297#M5405 HULK 2014-09-19T00:10:08Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7298#M5406 <HTML><HEAD></HEAD><BODY><P>But the issue is you'll have only one destination NAT rule to be matched no matter which server is the active one. That's why I suggest methods in "option 1" to have two routes to the Public IP (via Routing Protocols or PBF) with the goal of having a destination zone change that would allow us to match two different destination NAT rules</P></BODY></HTML> Fri, 19 Sep 2014 04:52:14 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7298#M5406 xhoms 2014-09-19T04:52:14Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7299#M5407 <HTML><HEAD></HEAD><BODY><P>Hi ClintL, </P><P></P><P>Since the requirement is&nbsp; to use only One public IP, (as far as I know) from configuration perspective on the PA 3020, I don't think this can be achieved unless you use different destination ports to identify the internal servers A and B that share the same public IP, say 1.1.1.1. In that case, the external hosts need to know that if server A is unreachable over the socket 1.1.1.1:xx, then use server B's socket 1.1.1.1:yy. </P><P></P><P>As of now, fail-over or redundant NAT rules cannot be configured (meaning you cannot have two D-NAT rules pointing to the same public IP with different internal destination IP transalations unless you want to use destinaion IP and port translation)</P><P></P><P>Also, refer <A href="https://live.paloaltonetworks.com/docs/DOC-1517">Understanding PAN-OS NAT</A></P><P></P><P>Thanks </P><P>Gayathri</P></BODY></HTML> Fri, 19 Sep 2014 09:17:27 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7299#M5407 gchandrasekaran 2014-09-19T09:17:27Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7300#M5408 <HTML><HEAD></HEAD><BODY><P>The functionality you're looking for is commonly found in load balancers.&nbsp; Even if you can find a way to get this working with PBF+NAT+Monitoring+API+whatever, you'll ultimately be better served by using the right tool for the job.&nbsp; </P></BODY></HTML> Fri, 19 Sep 2014 14:14:24 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7300#M5408 jvalentine 2014-09-19T14:14:24Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7301#M5409 <HTML><HEAD></HEAD><BODY><P>I appreciate the responses, guys.&nbsp; Yeah this was one of those "figure out how the Palo can do this" by the higher ups but like it was mentioned the Palo isn't the best solution.&nbsp; Thanks again and have a great weekend.</P></BODY></HTML> Fri, 19 Sep 2014 14:54:12 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7301#M5409 ClintL 2014-09-19T14:54:12Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7302#M5410 <HTML><HEAD></HEAD><BODY><P>If budget is the problem there is a basic open source load balancer in the Zen project on source forge.</P><P></P><P><A href="http://sourceforge.net/projects/zenloadbalancer/" title="http://sourceforge.net/projects/zenloadbalancer/">Zen Load Balancer | SourceForge.net</A></P></BODY></HTML> Sat, 20 Sep 2014 14:10:37 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7302#M5410 pulukas 2014-09-20T14:10:37Z https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7303#M5411 <HTML><HEAD></HEAD><BODY><P>Hi Clintl,</P><P></P><P>You can also opt for F5, its one of the best load balancer in industry. A10 load balancere is cheaper one.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Sat, 20 Sep 2014 14:27:58 GMT https://live.paloaltonetworks.com/t5/general-topics/internal-nat-failover/m-p/7303#M5411 hshah 2014-09-20T14:27:58Z