topic Re: Configure second ISP with failover and aggregation in General Topics

Configure second ISP with failover and aggregation

feelgood — Mon, 07 Apr 2025 14:09:10 GMT

Hi all,

I'm newbie on Palo Alto systems an i have a question bout a configuration point.

I have a PA-220 with one Internet connection (100 mbps). I have a second Internet connection from the same ISP (with the same bandwith => 100 mbps).

Now, I need to :

Aggregate this two links in one logical link ;
Use failover system if one of this two links falls.
I did some research on Palo Alto Knowledge Base to find a documentation about that and I find this :

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/configure-an-aggregate-interface-group
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-ISP-Redundancy-and-Load-Balancing/ta-p/58361
https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Multiple-ISPs/ta-p/67831

I'm not sure if this links are correct to do what I want.

Anyone know how should I go about setting up a viable setup for my PA-220 ?

Thank you in advance for your help.

Best regards.

Re: Configure second ISP with failover and aggregation

reaper — Fri, 13 Apr 2018 13:45:35 GMT

Hi @feelgood

Theres several different approaches depending on your needs, do you simply want to have outbound connections maximally utilize all available bandwidth or do you need specific services to use a preferred route, or have one line as hot standby, have vpn redundancy, etc...

does each link have it's own ip or does your ISP also aggregate the links?

The simplest setup is to setup both links equally and enable ECMP (in the virtual router), this will load balance traffic over both links, all you need to do is set up 2 individual NAT policies, one for each link

Re: Configure second ISP with failover and aggregation

feelgood — Fri, 13 Apr 2018 14:05:04 GMT

Hi @reaper

Thank you for your reply.

I have two differents IPs on each link, our ISP don't aggregate the links.

So, to answer at your question, in first place, I need to use all available bandwidth (i.e 100 Mbps x 2 so 200 Mbps) then I want to have failover mechanism which use the backup link if my primary link falls. And, when the primary link is up, the virtual router reactive automatically this link

Of course, I need all my VLAN toggle automatically on the backup link for continuity of service for my users.

Ok for ECMP, so I need to create a second virtual router with the same configuration of my default configuration to permit a load balance traffic between this two links ? That's all ?

Thanks.

Re: Configure second ISP with failover and aggregation

BPry — Fri, 13 Apr 2018 20:23:01 GMT

@feelgood,

ECMP doens't require an additional virtual router; it's a feature available within the virtual router configuration that allows Load Balancing between both of the ISP links. The link HERE will go into how to actually configure ECMP.

Since ECMP is load-balancing the sessions between both of the uplinks, everything that you are looking for will work as best as it's able. You'll want to configure Path Monitoring on the route so that it actually gets taken out of action if it were to go down.

Re: Configure second ISP with failover and aggregation

feelgood — Sat, 14 Apr 2018 11:46:26 GMT

Hi,

Thank you very much @reaper and @BPry, I setup ECMP on my PA-220 on my virtual router with the "How To" suggests by @BPry and for the moment, it works very well.

When I unplug my primary link on my PA-220 for test, the traffic goes automatically on my secondary link. Furthermore, I see in "Traffic Logs" of my PA-220, the load balancing between the two interfaces.

So, now I'll monitor if all everything it's ok and try to configure GlobalProtect and IPSec on the second link.

Many thanks for your help guys.

PS : Do you know how I can change my pseudo display ?

Re: Configure second ISP with failover and aggregation

reaper — Sat, 14 Apr 2018 17:21:22 GMT

Glad to hear all is working!
You can change your display name from the support portal profile editor: https://live.paloaltonetworks.com/t5/Support-Articles/How-to-Change-Your-Community-Username-Display-Name/ta-p/58586

Re: Configure second ISP with failover and aggregation

4920441 — Mon, 07 Apr 2025 14:04:27 GMT

Hi,

AFAIR the problem with the ECMP implementation is, that Incoming DNAT's aren't working as intended any more, since the incoming essions are also diced in the ECMP manor, so only half of the packtes are routeted through the correct WAN Interface.

Or is this issue solves in the meantime?

Remember, in the real world you often deal with two different ISPs which discard martian ip addresses, as we don't live in the 1990ies any more 😞

Thank you very much for clearyying.