We are in the process of replacing an internet facing Check Point (NokiaIP560) deployment with Palo Alto (PA-2050) running PAN-OS 5.0.9.
The current checkpoint deployment has two equal cost default routes to the upstream providers routes. These two next hop IP addresses are the multi-group VRRP IP addresses to achieve outbound load sharing. Below is the "show route" output from the Check Point firewalls routing table, it appears to show two equal cost static default routes.
S 0.0.0.0/0 via x.x.x.209, eth-s4p1c0, cost 0, age 31245795
via x.x.x.210, eth-s4p1c0
Does anyone know if Palo Alto will support the above equal cost/metric default route in the way Check Point does?
If we attempt to add the two static routes as above, the commit fails with the error:
In virtual-router default, the static route Default-2 metric value 10 is not unique among static routes to destination 0.0.0.0/0.(Module: routed)
Config commit phase 1 aborted(Module: device)
If we are not able to duplicate the Check Point routing, we believe this would mean sending all outbound traffic on a single default route to a single upstream router IP address, and essentially loose the ability to load share the two upstream Internet circuits thus loosing 50% of outbound bandwidth.
Does anyone have any suggestions on our scenario?
Solved! Go to Solution.
PanOS does not support equal cost multipath at this point (ECMP).
You will have to use policy based routing (PBR) and choose only one active default route.
This is a sample configuration to use PBR for a simple failover only setup with dual isp. You would need to setup multiple PBR rules to push traffic out both ISP at the same time using different criteria.
You can take it one step further with PBR. You could create a policy that says:
- policy-route 1/2 the users through ISPA
- policy-route the other users through ISPB
- policy-route all users through ISPA
- policy-route all users through ISPB
This way, if both connections are up (as determined by the PBR Monitor / Health Check), then you get utilization out of both ISPs. Still not as nice as ECMP would be, but it's one way to get utilization out of both links when they're both up and running.
Thanks for the quick answers!
It's very disappointing that PA do not support ECMP, especially as our current CheckPoint platform does: Routing Options
Anyway we are raising this "feature" with our SE to confirm if it is under development.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!