- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-07-2024 11:05 PM - edited 02-07-2024 11:07 PM
Hi guys
I am quite new to Palo Alto NGFW. We have on-prem PA-32xx on 11.0.3.
I am having trouble with static route ECMP for redundant IPSEC tunnels to AWS.
Previous guy configure both tunnel in different zone (lets say AWS1 zone and AWS2 zone) and then configure bunch of PBFs.
Then when the return path is changed, traffic will get dropped and I need to change PBF to another tunnel instead.
Are there anyway to made ECMP work with security policy? (or how to make both tunnels work in this scenario without manual with PBF)
I am thinking of putting 2 tunnel interfaces into same zone. I don't know if that is enough or another configure is needed.
I try to search for guide but so far mostly talking about networking aspect, not the policy and zone stuff.
02-07-2024 11:34 PM
if you're looking for the tunnel failover, you can use monitoring profile to failover traffic to the backup tunnel interface.
There are two ways to configure it -
1. Use of monitor profile and attach it to IPSEC tunnel
2. Use of monitoring on static routes. In this case, you will have two routes to same tunnel destinations with different metric. Primary route will have monitoring enabled. If monitor fails, primary route will be removed from forwarding table and secondary route will be used.
In both cases, you need to monitor the one of the server for ICMP requests. If response to that server fails, monitoring will be down, and required actions will be in place.
Below reference articles will give you more idea about this.
Define a Tunnel Monitoring Profile (paloaltonetworks.com)
Hope it helps!
02-08-2024 01:12 PM
Hello,
For your policy based routing, make sure the Monitor is enabled as well as Enforce Symmetric return. The for the secondary tunnel, just add a static route in the virtual router. The Policy base forward rules take effect prior to the virtual router so the policy when enabled will always be preferred. If it goes down due to the monitor, the PAN will disable the policy and the static route takes over.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!