Not sure this is the right venue or forum to post this, but I’m looking to set up an automated failover to a backup ISP line per the attached network diagram of my environment.
I’m new to PAN and the PAN way of doing things so thought I’d reach out for some advice before making changes. It’s quite hard, compared to Cisco, for example, to find a lot of content , blogs or user support forums on PAN configurations etc. I did find this article here…. and it’s almost what I want to do.
The article talks about using a PBR with a monitor - and when the monitor (ie a ping to the next hop gateway of the main ISP) fails, internet bound traffic is routed via the default static route to the BackUp ISP. All makes sense….except the part about using a “negate” statement for your internal servers….so that traffic to those local servers would not use the PBR. Why would it? That local traffic bound to those servers would not even hit the firewall to begin with. So that’s something I’d like to clarify.
Also,,I could achieve this config using a single Virtual Router? With a static default router out to my BackUp ISP modem\router….and return routes to my internal subnets... then config a PBR to route all my ISP bound traffic via the Main ISP?? Am I understanding this correctly?
And I’m thinking my NAT rule only needs to apply to the MAIN isp interface (Int 7) since I won’t need NAT for the BackUp ISP interface (int 8) - the Natting is done on the modem\router for the BackUp ISP.
Anyway….really appreciate any guidance from more seasoned PAN people )
Thanks and look forward to your responses !
Please go through the below link it would give detailed explanation on how to set up Dual ISP on failover:
I would rather suggest to have two VR's rather than the single VR as that would give us an option of having 2 default routes instead of having one default route in case of single virtual router setup.
Hope this helps.
While i agree setting it up with two VR's does make for a simpler config. However that can play tricks if you are running dynamic routing on the inside of your network. For that reason, I had to do the same with just 1 VR and it worked just fine.
Just my thoughts.
Its bascially using policy based forwarding along with monitoring. Here is the link to the article i used in the past. It was made with older version of code, but it still works.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!