I have a situation below and I need to be able to configure failover, seeking some guidance.
Basically I have
SG3 (two ISP's in the same VR)
Then I have a whole bunch of other sub interfaces on the LAN side:
TRUST-VR - VSYS3
I found this link:
So in my situation I have a default route going out the Primary ISP right now. I'm guessing here is what I will need to do:
1- Create a PBF to send all traffic out the Primary ISP
2- Delete the default route going out the Primary ISP and replace it with the Second ISP's default route
3- Pretty much do the same for all the tunnels?
Thanks for posting in the community forums!
You are almost right.
Yes, you will replace the default route with Secondary ISP's next hop.
Yes, you will create a PBF to forward the traffic to the primary ISP.
Couple of things you can add to the PBF:
1) Monitor profile with the action of 'Fail-Over' - so it fails to the VR in case the monitor IP is unreachable. Choose something simple as 22.214.171.124 as the IP address in Monitor.
2) Check the box for 'Disable this rule if next hop/IP address is unreachable'. This will prevent the firewall from keep checking the PBF for every packet (save those precious CPU cycles!).
And, all of this might not work if you don't have outbound NAT configured correctly!
Make sure to add 2 Outbout NAT rules, one for ISP1 and another for ISP2. You MUST use the destination interface as a condition too, else it will just stop at the first match.
Hope this helps :)
VPN tunnels cannot be controled by PBF policy as system-sourced services bypass pbf and use only the routing table
you could try adding single host static routes with a lower metric than the default gateway or ECMP in PAN-OS 8.0
I have implemented the following muiltiple times and works well.
Like you mentioned create a PBF that sends all traffic out the primary ISP and make sure you have a Monitor Enabled with the "Disable this rule...''. I usually use the Next Hop as something like the ISP's gateway router.
Have a static route that points all traffic out the secondary ISP.
Since PBF takes place prior to static routing, everything will go down the primary ISP via the PBF rule. If the IP in the Montior is unreachable, then the PBF is disabled and traffic will follow the static route you have defined to send down the secondary ISP.
Once the primary ISP is available again, the monitor will notice and reenable the PBF so then all traffic will flow down the primary ISP path.
Hope that makes sense.
All good but I wouldn't recommend using 126.96.36.199 as the monitor IP.
Use your ISP's gateway or at least something on their network rather than relying on Google's Anycast DNS.
For more details, I jsut happened to stumble across a more detailed how to.
Starts on Page 1030 under Policy-Based Forwarding.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!