Dual ISP's - How to PA-500

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dual ISP's - How to PA-500

L1 Bithead

Does anyone know of any good documentation that explains how to set up dual ISP's into my PA-500 device?  I currently have a single T1 running into the PA-500, but am going to be adding a cable connection within the next couple weeks.  I would like to use the Cable Connection for all Internet surfing, and the T-1 for E-mail and such.

Can this be done?  I found a few posts that say it can be, but didn't come across any good documentation as to how I can set this up.

Any help would be greatly appreciated.



If we want to put Proxy in DMZ wouldn't it be better to give Proxy just one interface which connects to PA int4 and allow/forward traffic between the internal and Proxy networks/zones through the PA. This way I think there will be better control over internal users going out (I mean user-id, app-id, all sort of filterings and monitorings done by the PA)



Not in my opinion.

Putting the proxy inline (that is client <-> proxy <-> PA <-> Internet) is the best option along with "reflect srcip" / "keepsource=yes" which would make that not only the srcip will be accurate in the logs of the PA but also that the PA can do userid, appid, ssl-termination etc.

If you put PA in front of the proxy (from the client perspective, that is client <-> PA <-> proxy <-> Internet) then the appid will always be "http-proxy" and you wont be able to use ssl-termination either (and by that become vulnerable for all the SSL-based malware out there).

A workaround (if you want it to be client <-> PA <-> proxy <-> PA <-> Internet) is to do as I described earlier with two vlans for the proxy, one outer and one inner vlan - this way you can still use the "reflect srcip" / "keepsource=yes" (and use aggregated interfaces to get redundancy instead of a single cable) with the downside of twice as many logs in the PA and only able to do half the number of concurrent sessions (because each session will be seen twice in the PA, first the session client -> PA -> proxy and then the proxy -> PA -> Internet).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!