- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-06-2013 03:26 AM
We are in the process of replacing an internet facing Check Point (NokiaIP560) deployment with Palo Alto (PA-2050) running PAN-OS 5.0.9.
The current checkpoint deployment has two equal cost default routes to the upstream providers routes. These two next hop IP addresses are the multi-group VRRP IP addresses to achieve outbound load sharing. Below is the "show route" output from the Check Point firewalls routing table, it appears to show two equal cost static default routes.
S 0.0.0.0/0 via x.x.x.209, eth-s4p1c0, cost 0, age 31245795
via x.x.x.210, eth-s4p1c0
Does anyone know if Palo Alto will support the above equal cost/metric default route in the way Check Point does?
If we attempt to add the two static routes as above, the commit fails with the error:
In virtual-router default, the static route Default-2 metric value 10 is not unique among static routes to destination 0.0.0.0/0.(Module: routed)
Config commit phase 1 aborted(Module: device)
Commit failed
If we are not able to duplicate the Check Point routing, we believe this would mean sending all outbound traffic on a single default route to a single upstream router IP address, and essentially loose the ability to load share the two upstream Internet circuits thus loosing 50% of outbound bandwidth.
Does anyone have any suggestions on our scenario?
12-06-2013 06:11 AM
PanOS does not support equal cost multipath at this point (ECMP).
You will have to use policy based routing (PBR) and choose only one active default route.
This is a sample configuration to use PBR for a simple failover only setup with dual isp. You would need to setup multiple PBR rules to push traffic out both ISP at the same time using different criteria.
Dual ISP Branch Office Configuration
12-06-2013 06:11 AM
PanOS does not support equal cost multipath at this point (ECMP).
You will have to use policy based routing (PBR) and choose only one active default route.
This is a sample configuration to use PBR for a simple failover only setup with dual isp. You would need to setup multiple PBR rules to push traffic out both ISP at the same time using different criteria.
Dual ISP Branch Office Configuration
12-06-2013 01:09 PM
You can take it one step further with PBR. You could create a policy that says:
- policy-route 1/2 the users through ISPA
- policy-route the other users through ISPB
- policy-route all users through ISPA
- policy-route all users through ISPB
This way, if both connections are up (as determined by the PBR Monitor / Health Check), then you get utilization out of both ISPs. Still not as nice as ECMP would be, but it's one way to get utilization out of both links when they're both up and running.
12-09-2013 01:15 AM
Thanks for the quick answers!
It's very disappointing that PA do not support ECMP, especially as our current CheckPoint platform does: Routing Options
Anyway we are raising this "feature" with our SE to confirm if it is under development.
Thanks again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!