This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

ECMP, interface, zone and security policy question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

ECMP, interface, zone and security policy question

Songphon-Gzy
L0 Member

‎02-07-2024 11:05 PM - edited ‎02-07-2024 11:07 PM

Hi guys

I am quite new to Palo Alto NGFW. We have on-prem PA-32xx on 11.0.3.

I am having trouble with static route ECMP for redundant IPSEC tunnels to AWS.

Previous guy configure both tunnel in different zone (lets say AWS1 zone and AWS2 zone) and then configure bunch of PBFs.

Then when the return path is changed, traffic will get dropped and I need to change PBF to another tunnel instead.

Are there anyway to made ECMP work with security policy? (or how to make both tunnels work in this scenario without manual with PBF)

I am thinking of putting 2 tunnel interfaces into same zone. I don't know if that is enough or another configure is needed.

I try to search for guide but so far mostly talking about networking aspect, not the policy and zone stuff.

0 Likes Likes
2 REPLIES 2

SutareMayur
Cyber Elite
Cyber Elite

‎02-07-2024 11:34 PM

Hi @Songphon-Gzy 

if you're looking for the tunnel failover, you can use monitoring profile to failover traffic to the backup tunnel interface.

There are two ways to configure it -

1. Use of monitor profile and attach it to IPSEC tunnel

2. Use of monitoring on static routes. In this case, you will have two routes to same tunnel destinations with different metric. Primary route will have monitoring enabled. If monitor fails, primary route will be removed from forwarding table and secondary route will be used.

 

In both cases, you need to monitor the one of the server for ICMP requests. If response to that server fails, monitoring will be down, and required actions will be in place.

 

Below reference articles will give you more idea about this.

 

Dual ISP VPN site to site Tunnel Failover with Static Route Pat... - Knowledge Base - Palo Alto Netw...

Define a Tunnel Monitoring Profile (paloaltonetworks.com)

How to Configure a Palo Alto Networks Firewall with Dual ISPs a... - Knowledge Base - Palo Alto Netw...

 

Hope it helps!

M

OtakarKlier
Cyber Elite
Cyber Elite

‎02-08-2024 01:12 PM

Hello,

For your policy based routing, make sure the Monitor is enabled as well as Enforce Symmetric return. The for the secondary tunnel, just add a static route in the virtual router. The Policy base forward rules take effect prior to the virtual router so the policy when enabled will always be preferred. If it goes down due to the monitor, the PAN will disable the policy and the static route takes over.

Regards,

  • 486 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks