Active/Passive Firewalls w/Different ISP Default Routes

Reply
Highlighted
L0 Member

Active/Passive Firewalls w/Different ISP Default Routes

I have two PA 5220s running active/passive and HA but connecting to dual ISPs. In a failover situation the passive firewall would assume the active firewalls default route but physically has a connection to the backup ISPs gateway not the active ISPs. How do I configure this active/passive config to allow the passive firewall to route to the backup ISP, instead of the primary ISP? Hope this clear!

Highlighted
L6 Presenter

@NateGantt 

 

So you mean, you have terminated ISP1 on Active firewall and ISP2 on passive firewall. And when failover happens, you are concerned about the default route which is pointed to ISP1 gateway.. Let me know if my understanding is wrong.

 

In this case you can have two default routes on the firewall. One will be pointing to ISP1 with lower matric and other default route will be pointing to ISP2 gateway with higher matric than first route. As First route has lower matric, it will get preferred. 

 

For failover, you can add path monitoring for First route of ISP1. You can monitor any internet IP. So once HA failover happens, on 2nd Firewall, there won't be physical connection to ISP1  from that firewall and automatically path monitoring will fail and 2nd default route will get added into FIB.

 

Similarly if again 1st firewall becomes active, Path monitoring will  be successful and route towards  ISP1 gateway will be active.

 

Just make sure you have proper security policies and NAT to allow internet through ISP2.

 

Hope it helps!

Mayur



Mayur
Highlighted
L7 Applicator

Does the primary firewall have an interface that's connected tot the backup ISP?

could you sketch how the firewalls are set up and where the ISPs are connected? are they on sub interfaces of physical interfaces, does each interfce have their own interface or are they shared?

 

there's plenty of solutions but it kinda depends how you are set up which one will work best:

 

- default route with backup having a slightly higher metric, upon filover the primary default route will fail so the backup route will take over

- policy based forwarding that directs all traffic to the primary ISP set to monitor the isp router, upon failure (which will happen on pan2) fail back to default route to secondary isp

 

 

 

 

 

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L0 Member

Active-Passive PA_Diff Default Routes.gif

 Here is a drawing that I hope helps clear up any confusion. Currently running PAs in active/passive so the outside interface is shared between the two so when failover happens, 128.109.181.34 will forward traffic to primary default route. what I wan to happen is when failover occurs, traffic get forwarded to secondary default route.

Highlighted
Cyber Elite

Hello,

The following should work:

Create a Policy Based Forwarding rule to point at the primary ISP, that has a monitor and the box checked for "Disable this rule...."

Create a static default route to the secondary ISP

 

Since the policy based forwarding takes effect before the virtual router, it should disable its self if the primary goes down and/or a failover event.

 

Regards,

Highlighted
L4 Transporter

@OtakarKlier Can this also be achieved by attaching a BFD profile to the primary ISP default route, 

Highlighted
Cyber Elite

Hello,

I'm not an expert on BFD, however it relies on static or other type of routing protocols, this will utilize the virtual router. With some routing protocols this might work. However I always try to use the simplest way so if it doesnt work its easier to figure out why.

 

Regards,

Highlighted
L6 Presenter

@NateGanttAs per design shared by you, you do not have any physical connectivity to Primary ISP on PA02 and in same manner no physical connectivity of Secondary ISP on PA01. I think, steps given in my earlier post will resolve issue.

 

Mayur



Mayur
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!