topic Re: PA220 PANOS 8.0.7 Dual ISP in General Topics

PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Sun, 28 Jan 2018 22:55:04 GMT

Hello Everyone

I know there is a fair amount of information on this topic but I have a few issues/questions

I have a PA220 with PANOS 8,0,7. My questions are relating to dual ISP connectivity. I would like to setup my PA with a backup ISP connection. I do have IPsec tunnels. But I am allowing for the second tunnel to negotiate when the backup ISP comes up. So both tunnels don't have to be "up and ready"

I have read the following article which is based on 2 VRs with PBFs to push traffic to the primary ISP with monitoring. When monitoring fails it will "failover" to use the second ISP

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774

I have also read the following article which I believe is now available in PANOS 8. This configuration use 2 default routes. The first 1 will have a lower metric. Let's say 10 with monitoring enabled and the second default route has a higher metric let's say 50.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/networking/static-routes/static-route-removal-based-on-path-monitoring.html

Basically can I achieve dual ISP with tunnels available on both untrusted ISP connections with the second article (default routes and path monitoring) Again I don't mind the short amount of time for tunnel negotiate. It's a branch office PA and I don't really want to configure 2 VRs.

Thank you, really appreciate any help on this

Re: PA220 PANOS 8.0.7 Dual ISP

reaper — Mon, 29 Jan 2018 09:27:50 GMT

Hi @Nick.Spender!

yes, this should work

The first article highlights a scenario that guarantees minimum downtime because both your tunnels are up. If a short downtime is not a big concern you can simply use the static route removal in PAN-OS 8.0

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 10:28:08 GMT

@reaper

Thank you Reaper.

I am testing path monitoring route now.....lets see how it goes

Thank you for all your comments and replies

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 14:11:25 GMT

@reaper

I am setting up each above article, currently testing the path monitoring method for static routes. When I fail over the ISP I get a real strange issue. its not tearing down the tunnel connected to 1/1

Re: PA220 PANOS 8.0.7 Dual ISP

reaper — Mon, 29 Jan 2018 14:19:26 GMT

Did you enable tunnel monitor in the ipsec configuration?

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 14:20:16 GMT

@reaper

No....As the other side isnt a PA 😞

Re: PA220 PANOS 8.0.7 Dual ISP

reaper — Mon, 29 Jan 2018 14:31:09 GMT

ah, that's a problem...

ok so how about you only create one tunnel locally, since the remote end will remain the same destination IP, and create a dynamic tunnel on the remote end (identification of PANW peer by means of email address or hostname for phase1 instead of it's IP)

then you could simply fail over the 1 tunnel to the second ISP and your remote peer will simply see a new tunnel com from a different source ip

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 14:58:42 GMT

@reaper

When you say "hen you could simply fail over the 1 tunnel to the second ISP and your remote peer will simply see a new tunnel com from a different source ip" is that a manual process?

Thanks again 😉

Re: PA220 PANOS 8.0.7 Dual ISP

reaper — Mon, 29 Jan 2018 15:23:42 GMT

That should happen automnatically: your primary default gateway fails so your tunnel will resort to using the second default gateway to try and get to the remote end

thinking about this a bit more, maybe I should try reproduction in the lab... (haven't set this scenario up live yet, there may be complications)

there are a few complicating factors that could ruin the party

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 15:24:44 GMT

I will give it a go

Thank you @reaper

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 15:27:29 GMT

@reaper

On a side note...Do you think the other article (the 2 VR method) would cause the same issues?

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Firewall-with-Dual-ISPs/ta-p/59774

Re: PA220 PANOS 8.0.7 Dual ISP

OtakarKlier — Mon, 29 Jan 2018 15:33:38 GMT

Hello @Nick.Spender,

I would just like to point out that you do not need two seperate VR's for this type of scneario. I have done it multiple times with just 1 VR and PBF with static route failover. THe other way is to use a dynamic routing protocol and add route costs to the link you call secondary.

Regards,

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 15:40:50 GMT

@OtakarKlier

But what the 2 default routes?

with 1 VR you cant use 2 default routes unless you use path monitoring for the 0.0.0.0/0 routes?

Re: PA220 PANOS 8.0.7 Dual ISP

OtakarKlier — Mon, 29 Jan 2018 15:45:21 GMT

Hello,

There would only be one default route in the VR, e.g. the backup path. The PBF would be the primary route with a monitor and a disable option. Since PBF takes effect before the routing table, unless the PBF is down, the default route will not be used.

Hope that makes sense.

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 15:47:11 GMT

@OtakarKlier

Ah ok but then you run into this issue

https://live.paloaltonetworks.com/t5/Management-Articles/Policy-based-forwarding-doesn-t-work-for-traffic-sourced-from/ta-p/58821

Re: PA220 PANOS 8.0.7 Dual ISP

OtakarKlier — Mon, 29 Jan 2018 15:57:43 GMT

Hmm, I currently have a site that has one ISP but connects to two different data centers. I use the PBF to send all ptraffic down one tunnel and it works just fine. I also have a site that has 1 p2p connection and a VPN tunnel to the same data center and the PBF also seems to work just fine. I think the newer code fixed the behavior in the article you mentioned?

Perhaps @reaper can verify.

Re: PA220 PANOS 8.0.7 Dual ISP

reaper — Mon, 29 Jan 2018 16:40:02 GMT

hi guys

please keep in mind the ipsec connection is a system sourced connection, so cannot be directed via pbf, but can via static routes, with or without separate VR depending on your needs (if the remote end has 2 ip's you won't need 2 VR necessarily because you can create 2 seperate identity ipsec connections)

the traffic you put on the tunnels is not system sourced so can be controlled by pbf

the 2 vr method is so you can create 2 'live' tunnels to the same endpoint, but as long as you can switch up parameters and add creative static routes, it is not mandatory

Re: PA220 PANOS 8.0.7 Dual ISP

OtakarKlier — Mon, 29 Jan 2018 16:42:08 GMT

OK that makes more sense since my two tunnels are already up and connected. I do have static routes for the public IP endpoints of those tunnels and my PBF's only are for traffic behind the firewalls.

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 17:37:02 GMT

@reaper

Hello Yeah that would be good if you could give it a test in your lab.....id like to know the out come.

Re: PA220 PANOS 8.0.7 Dual ISP

Nick.Spender — Mon, 29 Jan 2018 20:10:51 GMT

@reaper

Wouldn't I need 2 tunnels....as 1 is for the ISP 1 and the other is for ISP 2.

Thank you.....