How to Configure Dual ISP Network with GlobalProtect VPN using a Virtual Router and Policy-Based Forwarding

Printer Friendly Page


This document explains how to configure a Palo Alto Networks firewall that has a dual ISP connection in combination with GlobalProtect VPN. One ISP link is used for non VPN traffic and the other is used exclusively for GlobalProtect VPN traffic.

Configuration Goals:

  • Dual ISP connection in combination with VPN tunnels.
  • Simple Global Protect VPN Gateway/Portal and Client
  • 1 ISP is preferred for LAN to Internet traffic - Default route towards ISP1
  • Other ISP link used for GP VPN traffic


ISP1 is used as the primary ISP.  ISP2 is the GlobalProtect VPN traffic ISP.

Palo Alto Networks firewall version: 5.0.6 ( Any version >= 4.1.x can be used )


Interface Configuration

Configure four interfaces:

  • Ethernet 1/1 - - LAN Zone Interface
  • Ethernet 1/2 - - Zone ISP 1 Interface
  • Ethernet 1/3 - - Zone ISP 2 Interface
  • tunnel.1 - - Zone VPN Interface

Screen Shot 2013-10-15 at 10.51.23 AM.png

Screen Shot 2013-10-15 at 11.31.48 AM.png

The VPN Zone

GlobalProtect VPN will be configured soon. A requirement for the VPN to function is a tunnel Layer 3 interface. This interface is a virtual interface that has all the features of a physical interface. As such it can be configured in a zone of its own.

In this configuration the tunnel.1 interface is placed in the Zone VPN. Whenever VPN traffic is initiated by the customer, this traffic will be seen by the firewall as egress from the tunnel.1 interface and VPN Zone. The VPN traffic needs to reach the ISP2 Zone .

Network Security Configuration

Configure basic networking and Security Policies to allow traffic between:

  • LAN and ISP1
  • VPN and ISP2


Add Default Route to ISP1:

Screen Shot 2013-10-15 at 1.49.33 PM.png

Allow traffic to the 2 ISPs by using NAT Rules

In order for the outgoing traffic to be translated from internal IP addresses to outside IP addresses, we need to use some kind of Source NAT. In this example Dynamic IP and Port NAT is being used. The global IP will be the outgoing interface IP.

NAT to ISP1:

  • Source zone : any
  • Destination zone: ISP1
  • NAT Type: Source NAT
  • Source translation : dynamic IP and Port ; Interface : Ethernet 1/2 ; IP address:

NAT to ISP2:

  • Source zone : any
  • Destination zone: ISP2
  • NAT Type: Source NAT
  • Source translation : dynamic IP and Port ; Interface : Ethernet 1/3 ; IP address:

Screen Shot 2013-10-15 at 11.44.56 AM.png

At this point, traffic should be able to reach ISP1 from LAN and ISP2 from GlobalProtect VPN that has yet to be configured.

ISP1 Connection Test


Screen Shot 2013-10-15 at 2.18.29 PM.png

Policy-Based Forwarding

Since we are passing the default route to the GlobalProtect client, the default behavior of the firewall is to route the packets towards ISP1, because of the default route set up in the static routes of the Virtual Router .

The PBF will modify routing behavior in the following way:

All packets initiated from interface tunnel.1 that are heading for any other address other than directly connected LAN subnetwork or the directly connected ISP1 subnetwork should be forwarded to interface ethernet 1/3 , going to ISP2. The next hop is the IP pointing to the ISP2 router that goes to the Internet. There is no need for Symetric Return since the NAT will identify NATed sessions and translate it back to the initial internal IP. This will overwrite all packets going to an unknown address originating from the GlobalProtect tunnel interface.

Screen Shot 2013-10-15 at 2.00.01 PM.png

Screen Shot 2013-10-15 at 2.00.31 PM.png

Screen Shot 2013-10-15 at 2.00.40 PM.png

Screen Shot 2013-10-15 at 2.00.48 PM.png

Screen Shot 2013-10-15 at 2.00.55 PM.png

GlobalProtect Configuration

This implementation of GlobalProtect is a basic one, without any special features.

For a more detailed GlobalProtect configuration, check other Knowledge Base articles, Configuration Guides or the official Administration Guide in addition to the following references:

How to Configure GlobalProtect

How to Generate a New Self-Signed Certificate

GlobalProtect Configuration Tech Note

GlobalProtect Setup

Gateway IP:

GlobalProtect Client IP Pool: ->

Tunnel Interface: tunnel.1

Tunnel Interface IP:

Routes passed to clients : - The clients will have as default gateway - tunnel.1 interface

Detailed configuration:


Screen Shot 2013-10-15 at 11.55.45 AM.png

GlobalProtect Gateway

Screen Shot 2013-10-15 at 11.57.47 AM.png

Screen Shot 2013-10-15 at 11.58.39 AM.png

Screen Shot 2013-10-15 at 11.58.51 AM.png

GlobalProtect Portal

Screen Shot 2013-10-15 at 11.59.29 AM.png

Screen Shot 2013-10-15 at 11.59.44 AM.png

Screen Shot 2013-10-15 at 11.59.55 AM.png

Screen Shot 2013-10-15 at 12.00.12 PM.png

Screen Shot 2013-10-15 at 12.00.20 PM.png

Also, the user authentication needs to be configured in the Local Database:

Screen Shot 2013-10-15 at 12.29.26 PM.png

Once this is set up, the GlobalProtect Client should be able to connect to the GlobalProtect Gateway:

Client Connection to GlobalProtect

Connection is successful. Assigned IP address is


A Virtual interface is created on the Windows machine:

GP Virtual Adapter Windows.PNG.png

And, the default route is being injected:

GP injected routes.PNG.png

Connection to Internet through ISP2 is working:

traceroute through ISP2.PNG.png

Note:  This configuration does not achieve a failover if any one of the ISPs is not reachable.

owner: bbolovan


hi all,

Just a detail, this doc is only for GP with internal Gateway. Mean, if you want to create a GP tunnel from your LAN and going outside.

Title is need to be more precise.

hope help