Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Change ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Change ISP

L1 Bithead

we're upgrading the internet link in one of our offices...so qwe purchased a new link from a different provider...and I was thinking of unplugging the old link, plugin the new link, remove the old public IP address and then add the IP address of the new link, change the default route...the firewall is PA-200 version 7.1.14...has anyone done this before? is this a good practise? 

1 accepted solution

Accepted Solutions

ISP was changed successfully...for all of the network engineers out there...

 

- Change the interface IP

- Chane the default route

- Change GlobalProtect settings

- Issue a new cert. for GlobalProtect

- Change the polices

-No need to reset the VPN

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

If you have a maintenance window where you can perform a cutover, this would be a good way to go about your migration (don't forget NAT and security policies)

 

This will be the quickest way, but will require some downtime (and you'll need to make sure you have OOB acccess or can be on-site to perform this)

 

alternatively you can plug the new ISP in a free interface and set it up from scratch (new zone, add the sone to existing security policies, create new NAT rules, add default route with slightly higher metric and commit)

after the commit you can first run a few tests and will retain access to the office through the original ISP, until you shut off the original interface and the NEW ISP will take over

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

A great deal depends on what your doing,

 

Do you have inbound rules for NAT to inside hosts?

Do any of the third parties you connect to have IP address restrictions?

 

A "Cutover" period migration from one to the other would be ideal rather than a Straight complete swap over.

 

Both can run at the same time, and you can use PBF to move traffic out the second link.

 

 

Rob

 

 

L5 Sessionator

Make sure to check your default outgoing NAT rule as well. If it is set to source translate to the interface address then you will be fine, otherwise the configuration will need to be amended to your new public IP range.

I am not in the office...we can afford some downtime...i just need to do this quickly...

 

We have a VPN tunnle with another office so i need to change that as well...

 

if I use PFB, Can i remove it later without any downtime?

 

also, when I access the firewall public IP...i am redirected to Global Protect Page, not the firewall GUI page...any idea how to access it?

 

I think I need to change the below:

- Interface IP

-Global Protect portal

- Global protect gateway

- IKE Gateway

- One NAT policy

- Default route..

 

Can you think of something else? 

 

Will the VPN work after changing the IP address and resetting it?

ISP was changed successfully...for all of the network engineers out there...

 

- Change the interface IP

- Chane the default route

- Change GlobalProtect settings

- Issue a new cert. for GlobalProtect

- Change the polices

-No need to reset the VPN

  • 1 accepted solution
  • 5378 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!