I have an existing LAN with two data centers. The firewalls at each are not in a cluster, and have different internal/external connections and tunnels, so changing to active/active it not possible. They each have separate DMZ's right now.
We need to build a new redundant DMZ.
I've implemented static routes with next hop of none for my Public IP's on each Palo, one side prepends the AS 3x times all routes learned correctly on the eBGP devices.
If either site goes down entirely, everything works as expected, all traffic in/out goes via the operational ISP BGP connection.
Issue is I need to monitor some internal addresses, so if only the router or switch goes down the Palo will stop advertising those static routes.
I've played around with static path monitoring, but issue is I can't path monitor on a different segment than I'm advertising on.
1. The palo will not allow me to add the static route with external interface, and then monitor another IP via the internal interface (generic ping works, if I ping using Bypass routing table and use specified interface it doesn't).
2. Setup a NAT to the internal switch interface, and tried to ping that, same thing, also tried adding static route of the NAT and internal IP to that VR and no change.
I don't want to add any more hardware or reconfigure the existing Palo's as Active/Active between the sites if I can help it.
See attached diagram.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!