External BGP Static Route Advertisement, with Path Monitoring an inside net

TomElkins — Mon, 10 Aug 2020 18:42:06 GMT

I have an existing LAN with two data centers. The firewalls at each are not in a cluster, and have different internal/external connections and tunnels, so changing to active/active it not possible. They each have separate DMZ's right now.
We need to build a new redundant DMZ.
I've implemented static routes with next hop of none for my Public IP's on each Palo, one side prepends the AS 3x times all routes learned correctly on the eBGP devices.
If either site goes down entirely, everything works as expected, all traffic in/out goes via the operational ISP BGP connection.
Issue is I need to monitor some internal addresses, so if only the router or switch goes down the Palo will stop advertising those static routes.
I've played around with static path monitoring, but issue is I can't path monitor on a different segment than I'm advertising on.
1. The palo will not allow me to add the static route with external interface, and then monitor another IP via the internal interface (generic ping works, if I ping using Bypass routing table and use specified interface it doesn't).
2. Setup a NAT to the internal switch interface, and tried to ping that, same thing, also tried adding static route of the NAT and internal IP to that VR and no change.
I don't want to add any more hardware or reconfigure the existing Palo's as Active/Active between the sites if I can help it.
See attached diagram.

Re: External BGP Static Route Advertisement, with Path Monitoring an inside

TomElkins — Mon, 10 Aug 2020 18:47:17 GMT

topic External BGP Static Route Advertisement, with Path Monitoring an inside net in General Topics

External BGP Static Route Advertisement, with Path Monitoring an inside net

Re: External BGP Static Route Advertisement, with Path Monitoring an inside