Adding a 2nd ISP

gvyskocil · ‎02-26-2021

I have been reading up and still trying to wrap my head around the exact setup I need.

Current ISP1 - use for all LAN traffic out including IP phones. Use global protect also. Have external DNS setup so remote.mydomain.com goes to this ip address. Still want this ISP used for all traffic unless it goes down

ISP 2 - I have one backup server that offloads to azure I want to use on this link. Traffic bogs down our main link.

So here is the final setup I am trying to configure. I have a PA-820.

ISP 1 - all traffic (except for backup server) including global protect should use this ISP. This is on interface 1

ISP2 - backup server traffic only unless a failover occurs. I have connected this to interface 7

So sounds like with global protect I need two virtual routers to insure all the traffic stays on isp 1. My present tunnel is in the L3-inside zone. Not sure if I need to change that. First PBF will be for the ISP1 traffic to failover to ISP2 if it loses the ping to outside. Then I need another PBF to send the backup server traffic out isp2. I also think I need to NAT the server traffic from the L3-inside to the new L3-outside zone I created for isp2.

I think this link describes a lot of what I need. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJeCAK

If I treat the LAN traffic in the example as my backup server traffic I think that may work.

Suggestions or other good links that describe something similar to my situation?

Thanks,

V

Pawel_G · ‎03-03-2021

Hey

Primary VR will have all connections

This is just example

ETH1 - Untrust 32.32.32.108/29 Primary VR

ETH2 - Trust 10.10.0.1/24 Primary VR

ETH3 - DMZ 10.254.1.1/24 Primary VR

ETH4 - DMZ2 10.254.2.1/24 Primary VR

ETH5 - Untrust 33.33.33.108/29 Secondary VR

Lets say that you have Global Protect Users using 10.1.1.1-10.1.1.1.254 on Gateway 1 and GP users using 10.1.2.1-10.1.2.254 on Gateway 2.

You will need route from Secondary VR to Trust 10.10.0.0/24, 10.254.1.0/24 10.254.2.0/24 and 10.1.1.0/24

Primary VR

1 Default route - 0.0.0.0/0 - 10 to gateway 32.32.32.105

2.Route to GP2 - 10.1.2.0/24 - NEXT VR

3 More Local Routes - to Core SW if you have any

Secondary VR

1 Default Route 0.0.0.0/0 10 33.33.33.108/29

2.Route to Local 10.0.0.0/24 10 Next VR

3, Route to DMZ 10.254.1.0/24 10 Next VR

4. Route to DMZ2 10.254.2.0/24 10 Next VR

5. Route to GP 10.1.1.0/24 Next VR

6. If you have any IPSEC S2S you need to point to Primary VR

If you want to have also another ipsec S2S from secondary ISP as backup you will need to crete second tunnel and you will need to change metric and setup path monitoring if secondary VR Tunnel will go down than you still will be able to reach from Primary VR with metric 15. But if you have only one tunnel and you don't need to create another one all you do from Secondary VR route to primary with metric 10.

I hope this will help

gvyskocil · ‎03-09-2021

Thank you. I don't have S2S but I do have one DMZ for a server with a public IP address. So I believe I can follow your solution. I do need one PBF to route the backup traffic through ISP2 but I don't care if that is down for awhile so don't need to worry about path monitoring on that one.

Adding a 2nd ISP

Adding a 2nd ISP

Show your appreciation!