DUAL ISP Failover Single VR

L1 Bithead

DUAL ISP Failover Single VR

I have a situation below and I need to be able to configure failover, seeking some guidance.


Basically I have


SG3 (two ISP's in the same VR)

ISP1 (eth1/7)

--------------> WAN-VR2

ISP2 (eth1/8)


Then I have a whole bunch of other sub interfaces on the LAN side:


trust1 eth1/24.1

trust2 eth1/24.2

trust3 eth1/24.3


I found this link:



So in my situation I have a default route going out the Primary ISP right now.  I'm guessing here is what I will need to do:

1- Create a PBF to send all traffic out the Primary ISP

2- Delete the default route going out the Primary ISP and replace it with the Second ISP's default route

3- Pretty much do the same for all the tunnels?


thank you

L4 Transporter

Hi mali77,


Thanks for posting in the community forums!


You are almost right.

Yes, you will replace the default route with Secondary ISP's next hop.

Yes, you will create a PBF to forward the traffic to the primary ISP.


Couple of things you can add to the PBF:

1) Monitor profile with the action of 'Fail-Over' - so it fails to the VR in case the monitor IP is unreachable. Choose something simple as as the IP address in Monitor.

2) Check the box for 'Disable this rule if next hop/IP address is unreachable'. This will prevent the firewall from keep checking the PBF for every packet (save those precious CPU cycles!).


And, all of this might not work if you don't have outbound NAT configured correctly!


Make sure to add 2 Outbout NAT rules, one for ISP1 and another for ISP2. You MUST use the destination interface as a condition too, else it will just stop at the first match.


Hope this helps :)




ACE 7.0, 8.0, PCNSE 7
L0 Member

Did you ever get this to work with a single VR? I could get the ISP failover to work, but never the VPN tunnels.



L7 Applicator

VPN tunnels cannot be controled by PBF policy as system-sourced services bypass pbf and use only the routing table


you could try adding single host static routes with a lower metric than the default gateway or ECMP in PAN-OS 8.0

reaper - PANgurus.com
Find my book at https://www.amazon.com/dp/1789956374
Cyber Elite


I have implemented the following muiltiple times and works well. 


Like you mentioned create a PBF that sends all traffic out the primary ISP and make sure you have a Monitor Enabled with the "Disable this rule...''. I usually use the Next Hop as something like the ISP's gateway router.


Have a static route that points all traffic out the secondary ISP.


Since PBF takes place prior to static routing, everything will go down the primary ISP via the PBF rule. If the IP in the Montior is unreachable, then the PBF is disabled and traffic will follow the static route you have defined to send down the secondary ISP. 


Once the primary ISP is available again, the monitor will notice and reenable the PBF so then all traffic will flow down the primary ISP path.


Hope that makes sense.



L2 Linker

All good but I wouldn't recommend using as the monitor IP. 


Use your ISP's gateway or at least something on their network rather than relying on Google's Anycast DNS.

Cyber Elite

For more details, I jsut happened to stumble across a more detailed how to.




Starts on Page 1030 under Policy-Based Forwarding.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!