03-06-2023 01:44 AM
I'm new to palo alto I'm looking for best configuration advice of BGP with 2 ISP and own /24 class network at this moment I have established bgp connection between two internet providers. I'm exporting /24 class to both ISP but outsite I'm still identifing with ISP IP's not my own IP's. Im looking for a advice how to configure palo alto to be identified outside with my IP's from both ISP, also I would like to configure WAN connections that internet from ISP 1 at ethernet/1/1 is the main one and isp 2 at the etherner1/2 is the backup, when internet from isp 1 is down then traffic will going through ISP2 when internet will back then traffic will redirected again ISP1.
03-06-2023 06:02 AM
You have peering IP on physical interface (ethernet1/x).
If you set up NAT with destination IP from this /24 range incoming traffic will already work.
If you want to establish IPSec tunnel using IP from this /24 range then add loopback interface using IP from this /24 range using /32 subnet mask.
For outgoing traffic.
If you want to load balance enable ECMP in virtual router.
If you want to have primary and secondary then set up path monitoring inside primary 0.0.0.0/0 route so it would be removed from routing table if destinations are inaccessible.
03-06-2023 07:00 AM - edited 03-07-2023 03:31 AM
Hi @michalpawlak ,
The advice from @Raido_Rattameister is good. I will include some and add my own:
Item 3a can be accomplished with BGP weight or local preference. In a nutshell, weight works for a single NGFW while local preference works for multiple NGFWs in the same BGP ASN. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClszCAC
Item 3b can be accomplished with conditional advertisement. Adjusting BGP attributes will not stop all traffic from coming in. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEUCA0
ECMP could get you twice the bandwidth. Symmetric return is needed to fix asymmetric routing for inbound traffic. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK NATing traffic to the ISP IP interface address or putting both ISPs in the same zone will fix asymmetric routing for outbound traffic.
Going back to BGP, you could tune failover times by adjusting BGP timers or using BFD. You could add authentication as a security mechanism.
I heard of one case where the ISP lost some connectivity, but did not withdraw the default route from customers. If that happens to you, then consider static routes and path monitoring as @Raido_Rattameister suggested. Keep in mind if you use BGP to manipulate inbound traffic and static routes to manipulate outbound traffic the protocols may not be in sync.
03-06-2023 10:44 PM - edited 03-06-2023 10:45 PM
I really appreciate your support, so the best way to go is just leave 2 ISP to work as active/active with load balance enabled can you please advise? another think is Lets say I'm receiving IPs from ISP 1: A.A.A.A ISP 2: B.B.B.B and my class is C.C.C.C/24 in the BGP configuration in Router ID I set IP from ISP 1 which is A.A.A.A I'm not sure if that is the proper way to go? when I'm browsing internet my IP is A.A.A.A but I'd like to be identified as C.C.C.C when I add loopback interface with IP C.C.C.C/32 to the VR and set up NAT as a source address: internal LAN and Destination: C.C.C.C then when I'm browsing internet my IP address is showing C.C.C.C which is absoluletly fine but I'm not sure if this good configuration? I could leave like this if it works it works 🙂 but this NGFW will be configured in 24/7 environment so I can't afford any missconfiguration.
03-07-2023 03:29 AM
Hi @michalpawlak ,
Setting your BGP Router ID to C.C.C.C is fine. If you NAT to C.C.C.C, the traffic may go out one ISP and come back in another. If both ISPs are in the same zone, then it should work fine. If the ISPs are in different zones, then the return traffic will not match the session and be dropped.
I always advise you test before putting into production.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!