Does the same requirement for multiple routers hold true with ECMP to keep the tunnels active, or is it different now?
I don't see a requirement for more than one virtual router. (Yes, I would use 2, but just to separate internal and external routing). Actually I don't really see a technical reason why you use 2 VRs today, as it is also possible to keep all tunnels up and running (with tunnel monitoring and/or PBF monitoring).
In any case with PAN-OS 8 and the route monitoring there is no need for PBF rules in your case.
I wanted to give a report on how this all went.
I ended up going active-standby on the ISPs since while the primary ISPs are symetric upload/download, the secondaries aren't, which makes balancing a challenge with ECMP.
I used two virtual routers in the active-standby ISP config to keep all ipsec tunnels up and running all the time. When I tried to use a single VR, I could only have one active default route at a time, so the standby tunnels weren't up and running. With two VRs, all the tunnels are up and running all the time. I have one main VR when most everything terminates including ispec tunnels and the primary ISP, and another VR where just the standby ISP terminates. In the main VR I setup path monitoring for the primary ISP default route, and if it drops, have a default route with a higher metric that goes to the next VR.
I also used OSPF to handle the tunnels. It worked really well, was relatively easy, and handles tunnel failover very nicely, as well as saving me from entering a ton of static routes.
Thanks for all your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!