For details on cookie usage on our site, read our Privacy Policy
Nominated Discussion: Dual ISP Global Protect Redundancy
- LIVEcommunity
- Articles
- General Articles
- Nominated Discussion: Dual ISP Global Protect Redundancy
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
on 11-03-2022 10:23 AM - edited on 11-03-2022 10:24 AM by jforsythe
This article is based on a discussion, Dual ISP Global Protect Redundancy, posted by @DonohoeRobert. Thank you for the insight!
Hi Team,
I hope ye all are well. We recently worked a case for a customer that had dual ISP configuration and wanted the Palo Alto Networks device to provide redundancy for the Global Protect Portal and Gateways in the event one ISP went down. We came up with a handy way of providing this using NAT rules and a loopback and I am posting this to share with the community.
There are some screenshots from the lab below. Eth1/1 & Eth1/2 represent ISP-A and ISP-B.
We popped the Global Protect Portal and Gateway on a loopback interface.
We created two NAT rules to bounce the incoming traffic whether its from ISP-A or ISP-B to the loopback address.
The system has two Virtual Routers for both ISP's. VR-A and VR-B. VR-A has the loopback interface added.
Virtual Router B has a static route to VR-A which has a route to the loopback interface with the Portal and Gateway.
This simple setup allows access to the portal and gateway from either ISP interfaces. We simulated one ISP failing and changed the A record of the portal fqdn to resolve to the other interface and the users could connect without any input or changes from the end user. There are a number of ways to automate dns integrity and failover to resolve to a different ip address if it can't resolve to another. Beyond the scope of Palo Alto. Infoblox and Route 53 can provide these features. If you just have an MS server, changing the A record from one IP to another isn't a massive task.
Hope this helps few others and is nice way to provide an extra layer of redundancy for networks to big to fail.
Best regards,
Robert D
- Nominated Discussion: What Cloud Services are Affected by CVE-2020-1982? in General Articles
- Nominated Discussion: External DHCP Server Configuration in General Articles
- Nominated Discussion: Palo Alto Cluster Questions in General Articles
- Nominated Discussion: Can't Download Panorama For ESX OVA in General Articles
- Nominated Discussion: Test Command Does Not Work in General Articles
-
"Address Objects"
1 -
10.0
1 -
10.1
2 -
10.2
3 -
8.1
1 -
9.0
1 -
9.1
1 -
Active-Passive
1 -
AD
1 -
address objects
1 -
admin roles
1 -
administration
4 -
Administrator Profile
1 -
Advanced URL Filtering
2 -
Alibaba
2 -
Alibaba Cloud
3 -
Ansible
1 -
antivirus
1 -
API
1 -
applications
1 -
Authentication
6 -
Authentication Profile
1 -
Authentication Sequence
1 -
automatically acquire commit lock
1 -
automation
1 -
AWS
4 -
Azure
1 -
Basic Configuration
3 -
Beacon
1 -
Beacon2020
1 -
Best Practices
1 -
Block List
1 -
categories
1 -
certificates
1 -
Chrome Search Extension
1 -
CLI
4 -
CLI Command
3 -
Cloud Automation
1 -
Cloud Identity Engine
1 -
Cloud Security
1 -
Commit Process
1 -
Community News
1 -
Configuration
9 -
Configure Next Generation Firewall
1 -
console
1 -
Cortex
1 -
Cortex Data Lake
2 -
Cortex XDR
4 -
COVID-19
1 -
cyber elite
1 -
Cyberelite
10 -
dag
2 -
Debug
1 -
debugging
1 -
Default Policy
1 -
Deployment
1 -
discussions
1 -
EDL
2 -
Education
1 -
Education and Training
1 -
Education Services
1 -
Effective Routing
1 -
Endpoint
1 -
ESXi
1 -
Events
1 -
Expedition
1 -
failover
1 -
FAQ
1 -
Filtering
1 -
Firewall
1 -
Firewall VM-Series
1 -
gateway
1 -
Gateway Load Balancer
2 -
Gateway Loadbalancer
2 -
gcp
5 -
geolocation
1 -
Getting Started
1 -
Github
1 -
Global Protect
1 -
Global Protect Cookies
1 -
GlobalProtect
6 -
GlobalProtect App
1 -
globalprotect gateway
1 -
GlobalProtect Portal
2 -
google
1 -
Google Cloud
1 -
google cloud platform
4 -
GWLB
3 -
Hardware
1 -
hash
1 -
High Availability
1 -
How to
1 -
HTTP
1 -
https
1 -
ike
2 -
IoT
2 -
IoT Security
1 -
IPSec
2 -
kerberos
1 -
Kubernetes
1 -
Layer 2
2 -
Layer 3
1 -
Learning
1 -
licenses
1 -
local user
2 -
log forwarding
1 -
Log4Shell
1 -
Logging
1 -
Logs
1 -
Malware
1 -
Management
8 -
Management & Administration
4 -
MFA
1 -
microsoft
2 -
Microsoft 365
1 -
minemeld
25 -
multi factor authentication
1 -
multi-factor authentication
1 -
multi-vsys
1 -
network security
33 -
network-security
1 -
Networking
1 -
New Apps
1 -
News
1 -
next-generation firewall
36 -
next-generation firewall. network security
1 -
Next-Generation Firewall. NGFW
2 -
NGFW
19 -
NGFW Configuration
10 -
Objects
2 -
Oracle Cloud
1 -
Oracle Cloud Infrastructure
1 -
OTP
1 -
PA-3200 Series
1 -
PA-400
1 -
pa-440
2 -
PA-800 Series
1 -
pa-820 firewall
1 -
packet debug
1 -
packet diag
1 -
PAN-Os
13 -
PAN-OS 10.2
1 -
PAN-OS 11.0
1 -
PAN-OS 9.1
1 -
Panorama
6 -
Panorama 8.1
1 -
Panorama 9.1
1 -
Panorama Configuration
2 -
Panorama HA
1 -
PBF
1 -
PCNSA
1 -
PCNSE
1 -
policy
3 -
Policy Based Forwarding
1 -
Prisma
1 -
Prisma Access
5 -
prisma SD-WAN
1 -
QRadar
1 -
Radius
1 -
Ransomware
1 -
region
1 -
Registration
1 -
Release Notes
1 -
Routing
1 -
SAML
1 -
SASE
2 -
SD-WAN
1 -
Search
1 -
Security Advisory
1 -
Security automation
1 -
security policy
4 -
security profile
1 -
Security Profiles
2 -
Session Packet
1 -
Setup & Administration
5 -
Split Tunneling
1 -
SSL
1 -
SSL Decryption
2 -
SSL Forward Proxy
1 -
SSO
1 -
Support Guidance
1 -
syslog
1 -
Tag
2 -
Tags
2 -
Terraform
2 -
TGW
3 -
threat prevention
2 -
Threat Prevention License
1 -
Threat Prevention Services
1 -
Tips & Tricks
1 -
tls
1 -
Transit Gateway
1 -
Traps
1 -
Troubleshoot
1 -
Troubleshooting
3 -
tunnel
1 -
Tutorial
2 -
Ubuntu 16.04
1 -
upgrade
2 -
upgrade-downgrade
3 -
url categories
1 -
URL Filtering
2 -
URL-Filtering
1 -
User ID Probing
1 -
User-ID
1 -
User-ID & Authentication
1 -
User-ID mapping
1 -
userid
1 -
VM-Series
12 -
VM-Series on AWS
5 -
VM-Series on GCP
1 -
VPN
2 -
VPNs
3 -
Webinar
1 -
WildFire
2 -
wmi
1 -
XDR
1 -
xml
1 -
XML API
1
- Previous
- Next
