Dual ISPs, VRs, and BGP Configuration Advice

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dual ISPs, VRs, and BGP Configuration Advice

L1 Bithead



Not new to networking, but new to PA, so looking for some configuration advice.  Have a PA-3220 and would like to add a second ISP connection for redundancy.  If that was all then it seems pretty simple and I've found several KB articles on how to accomplish that.  However I have a /24 and /27 block of public IPs that I also need to route over the primary or backup ISP, depending on which is in use.  I understand I'll need an ASN from ARIN and coordination with my ISPs to make that happen.  I also have the GlobalProtect client configured on my primary ISP WAN IP.


I am wondering what is the best way to configure this on the PA.  Currently I have one VR which both public IP blocks route through.  Do I need to setup individual VRs for each ISP?  Do I need a VR for the GlobalProtect client?  I haven't been able to find any KB articles that address this specific situation, but if you could point me in the right direction, or provide some recommendations, I would be grateful.


Thank you!



Cyber Elite
Cyber Elite



You can accomplish your requirement on single Virtual Router. How do you want your ISPs to work (active-active) or (active-standby) ?

If you need both ISPs in Active-Active mode, you can achieve it by enabling ECMP under VR and load balance traffic on both ISPs in real time. And both ISPs will work as a fallback in case any of the link goes down.

Below Articles gives you details on configuration steps.


Your GlobalPortect VPN will work as it is. Only there will be dependency on Primary Link. If Primary Link is down, GlobalProtect VPN will be down.





Hope it helps!





Thank you for the link to the articles.  How would the configuration work for an active-standby scenario?  The circuits from my two ISPs are not the same speed (1 Gbps and 250 Mbps).  If I could utilize both that would be fine, as long as a majority of the traffic uses the faster circuit.  Otherwise I'm fine with it being a standby.  We are an event and entertainment facility, so the primary goal is to provide a backup Internet connection in case the primary one goes down during an event.


Thanks again, I appreciate the response.


You can use BGP in this scenario. You can request just the default route from each ISP and then set the LP higher on the circuit with more bandwidth.

If you want to do some load sharing, many ISPs will offer their provider routes. If you take this option from the ISP with lower bandwidth, it would allow you to send traffic destined to sites that are in that ISP's network out that circuit. You'd still want to set the LP of the default higher on the circuit with more bandwidth. If you do this, make sure to set up any necessary filters so you don't become a transit network between the ISPs.

Thank you for the information @rmfalconer!


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!