Configure DUAL ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Configure DUAL ISP

L4 Transporter

We have now two ISPs 

And we want to configure PA so that when first ISP is down the traffic (in and out) passed to the second ISP

Can you give me please a guide about it?

10 REPLIES 10

Cyber Elite
Cyber Elite

Hello,

I have done this many times with a lot of success. Here is a guide using PBF:

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/use-case-pbf-for-outbound-acc...

 

Hope that helps.

Now you can do similar thing with path monitoring in static routes as well.

Cyber Elite
Cyber Elite

if you simply want redundancy, you can set the secondary ISP to a higher metric

you can add PBF on top of this to split off some traffic for bandwidth optimalization

if both ISP's are equal in performance and you have no special needs for certain types of traffic, you can also look into ECMP:

Equal-Cost Multi-Path Routing (ECMP)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

No i want redundancy

The one thing is after the first link shut down it passes to second link but when we return it back it didnt pass again to the first one

Hello,

How do you have it configured? If using PBF and Monitoring, it should fail back once the monitoring see's the the IP you are monitoring is back up.

 

Regards,

when i pass to backup route the connection pass to second ISP but NO internet for internal hosts

I have to put up the NAT rule of second ISP  above the first NAT RULE -ISP 1 

And then when i back the first ISP it did not pass to FIRST  ISP. Preemtevie time is 1 minute.

PAN-OS 8.0.10

PA-500

 

 

make sure to add the 'egress interface' setting to the NAT rules, this will prevent that issue from occurring

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Can you please explain me how to do it? is it in the Policy > Nat>NAT RULES section?

It's recommended to assign each ISP it's own zone, but this will require more security policies

If instead you assign both ISPs the same zone, security policies will be simpler to manage but the NAT policies may get 'confused' about what to do, adding 'destination interface' to the requirements let's NAT know which rule to apply when an ISP goes down and packets are routed over a different interface:

 

identical NAT.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

thanks it worked with internet

 

 

  • 4061 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!