01-02-2026 07:58 PM - edited 01-03-2026 02:36 AM
Hi all,
I’m running a dual-ISP setup on a PA with BGP to ISP1 and ISP2. My goal is:
Monitor ISP1 default route / Internet reachability.
If ISP1 becomes unusable, I want all traffic to fail over to ISP2.
I am advertising an IP pool to both ISP1 and ISP2 for incoming traffic, with AS-path prepending applied to ISP2 so that incoming traffic prefers ISP1. Ideally, I would like all ISP1 routes to be withdrawn when the upstream Internet fails.
Here’s what I’ve tried and observed:
Conditional Advertisement:
I configured a policy on ISP2 to advertise the IP pool only when ISP1 default is missing. Works in principle, but I cannot cancel advertisement to ISP1 just because ISP1 stops sending a default route.
Path Monitoring (pinging a remote IP):
This removes the route for outbound traffic, so outgoing connections failover to ISP2. However, the IP pool advertisement is still sent to ISP1, so incoming traffic continues to fail.
Questions:
Is there any way in PAN-OS to completely withdraw all BGP routes and bring down ISP1 session when the Internet behind ISP1 fails but the peer IP is still reachable?
Would combining conditional advertisement / AS-path prepending achieve practical failover for both incoming and outgoing traffic?
Are there any recommended workarounds in PA for this scenario that don’t involve extra hardware or ISP cooperation?
Appreciate any guidance or shared experiences.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
