Configure Backup ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Configure Backup ISP

L1 Bithead

PANBackupISP.png

 

 

 

 

 

Not sure this is the right venue or forum to post this, but I’m looking to set up an automated failover to a backup ISP line per the attached network diagram of my environment.

 

I’m new to PAN and the PAN way of doing things so thought I’d reach out for some advice before making changes. It’s quite hard, compared to Cisco, for example, to find a lot of content , blogs or user support forums on PAN configurations etc. I did find this article here…. and it’s almost what I want to do.

 

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/policy/use-case-pbf-for-outbound-acc...

 

The article talks about using a PBR with a monitor - and when the monitor (ie a ping to the next hop gateway of the main ISP) fails, internet bound traffic is routed via the default static route to the BackUp ISP. All makes sense….except the part about using a “negate” statement for your internal servers….so that traffic to those local servers would not use the PBR. Why would it? That local traffic bound to those servers would not even hit the firewall to begin with. So that’s something I’d like to clarify.

 

Also,,I could achieve this config using a single Virtual Router? With a static default router out to my BackUp ISP modem\router….and return  routes to my internal subnets... then config a PBR to route all my ISP bound traffic via the Main ISP?? Am I understanding this correctly?

 

And I’m thinking my NAT rule only needs to apply to the MAIN isp interface (Int 7) since I won’t need NAT for the BackUp ISP interface (int 😎 - the Natting is done on the modem\router for the BackUp ISP.

 

Anyway….really appreciate any guidance from more seasoned PAN people )

Thanks and look forward to your responses !

 

Dennis….

4 REPLIES 4

L2 Linker

Hi Dennis,

 

 

Please go through the below link it would give detailed explanation on how to set up Dual ISP on failover:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Fi...

 

 

I would rather suggest to have two VR's rather than the single VR as that would give us an option of having 2 default routes instead of having one default route in case of single virtual router setup.

 

Hope this helps.

 

Ansh

Hello,

While i agree setting it up with two VR's does make for a simpler config. However that can play tricks if you are running dynamic routing on the inside of your network. For that reason, I had to do the same with just 1 VR and it worked just fine.

 

Just my thoughts.

 

Good luck!

Otakar.Klier....

 

could you elborate on your single VR setup? That's what I would prefer to do....

 

Thanks for your reply.....Dennis

Hello,

Its bascially using policy based forwarding along with monitoring. Here is the link to the article i used in the past. It was made with older version of code, but it still works.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Dual-ISP-Branch-Office-Configuration/ta-...

 

Regards,

  • 3173 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!