Configure DUAL ISP

Reply
L4 Transporter

Configure DUAL ISP

We have now two ISPs 

And we want to configure PA so that when first ISP is down the traffic (in and out) passed to the second ISP

Can you give me please a guide about it?

L7 Applicator

Re: Configure DUAL ISP

Hello,

I have done this many times with a lot of success. Here is a guide using PBF:

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/use-case-pbf-for-outbound-acc...

 

Hope that helps.

L5 Sessionator

Re: Configure DUAL ISP

Now you can do similar thing with path monitoring in static routes as well.

Community Manager

Re: Configure DUAL ISP

if you simply want redundancy, you can set the secondary ISP to a higher metric

you can add PBF on top of this to split off some traffic for bandwidth optimalization

if both ISP's are equal in performance and you have no special needs for certain types of traffic, you can also look into ECMP:

Equal-Cost Multi-Path Routing (ECMP)


Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: Configure DUAL ISP

No i want redundancy

The one thing is after the first link shut down it passes to second link but when we return it back it didnt pass again to the first one

L7 Applicator

Re: Configure DUAL ISP

Hello,

How do you have it configured? If using PBF and Monitoring, it should fail back once the monitoring see's the the IP you are monitoring is back up.

 

Regards,

L4 Transporter

Re: Configure DUAL ISP

when i pass to backup route the connection pass to second ISP but NO internet for internal hosts

I have to put up the NAT rule of second ISP  above the first NAT RULE -ISP 1 

And then when i back the first ISP it did not pass to FIRST  ISP. Preemtevie time is 1 minute.

PAN-OS 8.0.10

PA-500

 

 

Community Manager

Re: Configure DUAL ISP

make sure to add the 'egress interface' setting to the NAT rules, this will prevent that issue from occurring


Help the community: Like helpful comments and mark solutions
Reaper out
L4 Transporter

Re: Configure DUAL ISP

Can you please explain me how to do it? is it in the Policy > Nat>NAT RULES section?

Community Manager

Re: Configure DUAL ISP

It's recommended to assign each ISP it's own zone, but this will require more security policies

If instead you assign both ISPs the same zone, security policies will be simpler to manage but the NAT policies may get 'confused' about what to do, adding 'destination interface' to the requirements let's NAT know which rule to apply when an ISP goes down and packets are routed over a different interface:

 

identical NAT.png


Help the community: Like helpful comments and mark solutions
Reaper out
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!