External BGP Static Route Advertisement, with Path Monitoring an inside net

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
L1 Bithead

External BGP Static Route Advertisement, with Path Monitoring an inside net

I have an existing LAN with two data centers. The firewalls at each are not in a cluster, and have different internal/external connections and tunnels, so changing to active/active it not possible. They each have separate DMZ's right now.
We need to build a new redundant DMZ.
I've implemented static routes with next hop of none for my Public IP's on each Palo, one side prepends the AS 3x times all routes learned correctly on the eBGP devices.
If either site goes down entirely, everything works as expected, all traffic in/out goes via the operational ISP BGP connection.
Issue is I need to monitor some internal addresses, so if only the router or switch goes down the Palo will stop advertising those static routes.
I've played around with static path monitoring, but issue is I can't path monitor on a different segment than I'm advertising on.
1. The palo will not allow me to add the static route with external interface, and then monitor another IP via the internal interface (generic ping works, if I ping using Bypass routing table and use specified interface it doesn't).
2. Setup a NAT to the internal switch interface, and tried to ping that, same thing, also tried adding static route of the NAT and internal IP to that VR and no change.
I don't want to add any more hardware or reconfigure the existing Palo's as Active/Active between the sites if I can help it.
See attached diagram.

Data Dink
USMC/Ret
Highlighted
L1 Bithead

TomElkins_0-1597085229760.png

 

Data Dink
USMC/Ret
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!