https://live.paloaltonetworks.com/t5/general-topics/queries-for-dual-isp-link/m-p/291975#M77330 <P>I am following this KB link to set this up&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK</A></P><P>&nbsp;</P><P>1/ So the documents says i have to setup 2 source NATs for each interface. Can we getaway by using the interface as ANY in NAT rule? What is the best practice?</P><P>2/ What about destination interface for the traffic coming to our hosted web-servers, Should there also be 2 destination NAT's? ISP will be re-routing/advertising our subnet on the faild-over link for traffic destined to us.</P><P>3/ What happens to HA, we have firewalls in Active-Passive, with path-monitoring profiles enabled on them. Should we disable path monitoring with dual links?</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Oct 2019 15:56:24 GMT raji_toor 2019-10-08T15:56:24Z https://live.paloaltonetworks.com/t5/general-topics/queries-for-dual-isp-link/m-p/291975#M77330 <P>I am following this KB link to set this up&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK</A></P><P>&nbsp;</P><P>1/ So the documents says i have to setup 2 source NATs for each interface. Can we getaway by using the interface as ANY in NAT rule? What is the best practice?</P><P>2/ What about destination interface for the traffic coming to our hosted web-servers, Should there also be 2 destination NAT's? ISP will be re-routing/advertising our subnet on the faild-over link for traffic destined to us.</P><P>3/ What happens to HA, we have firewalls in Active-Passive, with path-monitoring profiles enabled on them. Should we disable path monitoring with dual links?</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 08 Oct 2019 15:56:24 GMT https://live.paloaltonetworks.com/t5/general-topics/queries-for-dual-isp-link/m-p/291975#M77330 raji_toor 2019-10-08T15:56:24Z https://live.paloaltonetworks.com/t5/general-topics/queries-for-dual-isp-link/m-p/292046#M77333 <P>If you are definitely trying to use Dual ISP with automatic VPN failover, I would follow the KB article exactly.</P><P>&nbsp;</P><P>As for the NAT rules, you definitely need to definite ingress interfaces vs using ANY.</P><P>&nbsp;</P><P>You should probably be using loopback IPs that are available on both ISPs, so that if 1 ISP fails, the 2nd ISP will still know about the 2nd loopback address and inbound/destination NAT can still work (need to test thoroughly)</P><P>&nbsp;</P><P>As for path monitoring, yes... i would agreed to turn it off from the HA config, but you need to ensure path monitoring is configured in your virtual router.&nbsp; This way, if the VR determines the 1st ISP is down, then it can remove the route from the FIB table, and send traffic to the ISP, using the 2 NAT rule.&nbsp; &nbsp;This is why you MUST define, in your NAT, what addressed is to be used, based on the interface, to ensure the correct NAT statement/IP is used.&nbsp;</P><P>&nbsp;</P><P>More questions? <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P><P>&nbsp;</P><P>let us know.&nbsp;</P> Wed, 09 Oct 2019 01:48:58 GMT https://live.paloaltonetworks.com/t5/general-topics/queries-for-dual-isp-link/m-p/292046#M77333 S.Cantwell 2019-10-09T01:48:58Z https://live.paloaltonetworks.com/t5/general-topics/queries-for-dual-isp-link/m-p/292146#M77361 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/113304">@S.Cantwell</a>&nbsp;Thanks for the answers. For us ISP providing L2/L3 still remains the same, its only physical link that goes to two different ISP's so that is not an issue. So I would be duplicating both the below NAT rules as an example with each destination interface, correct?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/21737i3B02925EF3790E91/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Wed, 09 Oct 2019 15:09:26 GMT https://live.paloaltonetworks.com/t5/general-topics/queries-for-dual-isp-link/m-p/292146#M77361 raji_toor 2019-10-09T15:09:26Z