I have two PA 5220s running active/passive and HA but connecting to dual ISPs. In a failover situation the passive firewall would assume the active firewalls default route but physically has a connection to the backup ISPs gateway not the active ISPs. How do I configure this active/passive config to allow the passive firewall to route to the backup ISP, instead of the primary ISP? Hope this clear!
So you mean, you have terminated ISP1 on Active firewall and ISP2 on passive firewall. And when failover happens, you are concerned about the default route which is pointed to ISP1 gateway.. Let me know if my understanding is wrong.
In this case you can have two default routes on the firewall. One will be pointing to ISP1 with lower matric and other default route will be pointing to ISP2 gateway with higher matric than first route. As First route has lower matric, it will get preferred.
For failover, you can add path monitoring for First route of ISP1. You can monitor any internet IP. So once HA failover happens, on 2nd Firewall, there won't be physical connection to ISP1 from that firewall and automatically path monitoring will fail and 2nd default route will get added into FIB.
Similarly if again 1st firewall becomes active, Path monitoring will be successful and route towards ISP1 gateway will be active.
Just make sure you have proper security policies and NAT to allow internet through ISP2.
Hope it helps!
Does the primary firewall have an interface that's connected tot the backup ISP?
could you sketch how the firewalls are set up and where the ISPs are connected? are they on sub interfaces of physical interfaces, does each interfce have their own interface or are they shared?
there's plenty of solutions but it kinda depends how you are set up which one will work best:
- default route with backup having a slightly higher metric, upon filover the primary default route will fail so the backup route will take over
- policy based forwarding that directs all traffic to the primary ISP set to monitor the isp router, upon failure (which will happen on pan2) fail back to default route to secondary isp
Here is a drawing that I hope helps clear up any confusion. Currently running PAs in active/passive so the outside interface is shared between the two so when failover happens, 22.214.171.124 will forward traffic to primary default route. what I wan to happen is when failover occurs, traffic get forwarded to secondary default route.
The following should work:
Create a Policy Based Forwarding rule to point at the primary ISP, that has a monitor and the box checked for "Disable this rule...."
Create a static default route to the secondary ISP
Since the policy based forwarding takes effect before the virtual router, it should disable its self if the primary goes down and/or a failover event.
I'm not an expert on BFD, however it relies on static or other type of routing protocols, this will utilize the virtual router. With some routing protocols this might work. However I always try to use the simplest way so if it doesnt work its easier to figure out why.
@NateGanttAs per design shared by you, you do not have any physical connectivity to Primary ISP on PA02 and in same manner no physical connectivity of Secondary ISP on PA01. I think, steps given in my earlier post will resolve issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!