ECMP, interface, zone and security policy question

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

ECMP, interface, zone and security policy question

L0 Member

Hi guys

I am quite new to Palo Alto NGFW. We have on-prem PA-32xx on 11.0.3.

I am having trouble with static route ECMP for redundant IPSEC tunnels to AWS.

Previous guy configure both tunnel in different zone (lets say AWS1 zone and AWS2 zone) and then configure bunch of PBFs.

Then when the return path is changed, traffic will get dropped and I need to change PBF to another tunnel instead.

Are there anyway to made ECMP work with security policy? (or how to make both tunnels work in this scenario without manual with PBF)

I am thinking of putting 2 tunnel interfaces into same zone. I don't know if that is enough or another configure is needed.

I try to search for guide but so far mostly talking about networking aspect, not the policy and zone stuff.


Cyber Elite
Cyber Elite

Hi @Songphon-Gzy 

if you're looking for the tunnel failover, you can use monitoring profile to failover traffic to the backup tunnel interface.

There are two ways to configure it -

1. Use of monitor profile and attach it to IPSEC tunnel

2. Use of monitoring on static routes. In this case, you will have two routes to same tunnel destinations with different metric. Primary route will have monitoring enabled. If monitor fails, primary route will be removed from forwarding table and secondary route will be used.


In both cases, you need to monitor the one of the server for ICMP requests. If response to that server fails, monitoring will be down, and required actions will be in place.


Below reference articles will give you more idea about this.


Dual ISP VPN site to site Tunnel Failover with Static Route Pat... - Knowledge Base - Palo Alto Netw...

Define a Tunnel Monitoring Profile (

How to Configure a Palo Alto Networks Firewall with Dual ISPs a... - Knowledge Base - Palo Alto Netw...


Hope it helps!


Cyber Elite
Cyber Elite


For your policy based routing, make sure the Monitor is enabled as well as Enforce Symmetric return. The for the secondary tunnel, just add a static route in the virtual router. The Policy base forward rules take effect prior to the virtual router so the policy when enabled will always be preferred. If it goes down due to the monitor, the PAN will disable the policy and the static route takes over.


  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!