02-26-2021 01:32 PM
I have been reading up and still trying to wrap my head around the exact setup I need.
Current ISP1 - use for all LAN traffic out including IP phones. Use global protect also. Have external DNS setup so remote.mydomain.com goes to this ip address. Still want this ISP used for all traffic unless it goes down
ISP 2 - I have one backup server that offloads to azure I want to use on this link. Traffic bogs down our main link.
So here is the final setup I am trying to configure. I have a PA-820.
ISP 1 - all traffic (except for backup server) including global protect should use this ISP. This is on interface 1
ISP2 - backup server traffic only unless a failover occurs. I have connected this to interface 7
So sounds like with global protect I need two virtual routers to insure all the traffic stays on isp 1. My present tunnel is in the L3-inside zone. Not sure if I need to change that. First PBF will be for the ISP1 traffic to failover to ISP2 if it loses the ping to outside. Then I need another PBF to send the backup server traffic out isp2. I also think I need to NAT the server traffic from the L3-inside to the new L3-outside zone I created for isp2.
I think this link describes a lot of what I need. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJeCAK
If I treat the LAN traffic in the example as my backup server traffic I think that may work.
Suggestions or other good links that describe something similar to my situation?
Thanks,
V
03-03-2021 07:32 PM - edited 03-03-2021 07:35 PM
Hey
Primary VR will have all connections
This is just example
ETH1 - Untrust 32.32.32.108/29 Primary VR
ETH2 - Trust 10.10.0.1/24 Primary VR
ETH3 - DMZ 10.254.1.1/24 Primary VR
ETH4 - DMZ2 10.254.2.1/24 Primary VR
ETH5 - Untrust 33.33.33.108/29 Secondary VR
Lets say that you have Global Protect Users using 10.1.1.1-10.1.1.1.254 on Gateway 1 and GP users using 10.1.2.1-10.1.2.254 on Gateway 2.
You will need route from Secondary VR to Trust 10.10.0.0/24, 10.254.1.0/24 10.254.2.0/24 and 10.1.1.0/24
Primary VR
1 Default route - 0.0.0.0/0 - 10 to gateway 32.32.32.105
2.Route to GP2 - 10.1.2.0/24 - NEXT VR
3 More Local Routes - to Core SW if you have any
Secondary VR
1 Default Route 0.0.0.0/0 10 33.33.33.108/29
2.Route to Local 10.0.0.0/24 10 Next VR
3, Route to DMZ 10.254.1.0/24 10 Next VR
4. Route to DMZ2 10.254.2.0/24 10 Next VR
5. Route to GP 10.1.1.0/24 Next VR
6. If you have any IPSEC S2S you need to point to Primary VR
If you want to have also another ipsec S2S from secondary ISP as backup you will need to crete second tunnel and you will need to change metric and setup path monitoring if secondary VR Tunnel will go down than you still will be able to reach from Primary VR with metric 15. But if you have only one tunnel and you don't need to create another one all you do from Secondary VR route to primary with metric 10.
I hope this will help
03-09-2021 04:11 PM
Thank you. I don't have S2S but I do have one DMZ for a server with a public IP address. So I believe I can follow your solution. I do need one PBF to route the backup traffic through ISP2 but I don't care if that is down for awhile so don't need to worry about path monitoring on that one.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!