Adding a 2nd ISP

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Adding a 2nd ISP

L2 Linker

I have been reading up and still trying to wrap my head around the exact setup I need.


Current ISP1 - use for all LAN traffic out including IP phones. Use global protect also. Have external DNS setup so goes to this ip address. Still want this ISP used for all traffic unless it goes down


ISP 2 - I have one backup server that offloads to azure I want to use on this link. Traffic bogs down our main link. 


So here is the final setup I am trying to configure. I have a PA-820.


ISP 1 - all traffic (except for backup server) including global protect should use this ISP. This is on interface 1

ISP2 - backup server traffic only unless a failover occurs. I have connected this to interface 7


So sounds like with global protect I need two virtual routers to insure all the traffic stays on isp 1. My present tunnel is in the L3-inside zone. Not sure if I need to change that. First PBF will be for the ISP1 traffic to failover to ISP2 if it loses the ping to outside. Then I need another PBF to send the backup server traffic out isp2. I also think I need to NAT the server traffic from the L3-inside to the new L3-outside zone I created for isp2.


I think this link describes a lot of what I need.


If I treat the LAN traffic in the example as my backup server traffic I think that may work.


Suggestions or other good links that describe something similar to my situation?








Primary VR will have all connections

This is just example

ETH1 - Untrust   Primary VR

ETH2 - Trust         Primary VR

ETH3 - DMZ       Primary VR

ETH4 - DMZ2       Primary VR

ETH5 - Untrust   Secondary VR


Lets say that you have Global Protect Users using on Gateway 1 and GP users using on Gateway 2.

You will need route from Secondary VR to Trust,  and

Primary VR

1 Default route - - 10 to gateway

2.Route to GP2 - - NEXT VR

3 More Local Routes - to Core SW if you have any


Secondary VR

1 Default Route 10

2.Route to Local 10 Next VR

3, Route to DMZ 10 Next VR

4. Route to DMZ2 10 Next VR

5. Route to GP Next VR

6. If you have any IPSEC S2S you need to point to Primary VR


If you want to have also another ipsec S2S from secondary ISP as backup you will need to crete second tunnel and you will need to change metric and setup path monitoring if secondary VR Tunnel will go down than you still will be able to reach from Primary VR with metric 15. But if you have only one tunnel and you don't need to create another one all you do from Secondary VR route to primary with metric 10.


I hope this will help


Thank you. I don't have S2S but I do have one DMZ for a server with a public IP address. So I believe I can follow your solution. I do need one PBF to route the backup traffic through ISP2 but I don't care if that is down for awhile so don't need to worry about path monitoring on that one.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!