External ping to public ip of secondary ISP interface.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

External ping to public ip of secondary ISP interface.

L0 Member

I am having issues allowing pings on my secondary ISP interface. I have a dual ISP set up with my main connection a 10gbit connection with ISP1 and a backup 1gbit with ISP2. I am currently using path monitoring for internet failover and I also have a few PBF rules for some traffic to leave through ISP2. I was asked by ISP2 to allow ICMP for their subnet so they can monitor the connection. So I set up a second management profile that only allowed ping from their subnet and applied it to that interface. They still can seem to get a response when they ping it. Is there something else that I am missing? 


Cyber Elite
Cyber Elite

Hi @Dyardley ,


If other end is still not able to ping the palo alto interface, did you checked the traffic logs? Traffic logs should give you clarity on what's actually happening. 


L2 Linker

I literally just configured this.  I have the default virtual router and then a separate virtual router for each ISP (hub and spoke). With this method, you can prevent the dedicated ISP virtual routers having a zero route to the other ISP.  Therefore path monitoring will have the desired effect to flush the zero route for that specific ISP. You need to create a loopback on each virtual router.  Then create static routes (hub and spoke) to each ISP router (requires loopback). You can then configure eBGP on those links, along with redistribute. The method I used was local pref on the internal (default) virtual router to designate primary and secondary ISP.  The failover is tuned to 3 seconds and then hold time of 2 minutes for fail back. PDF with screenshot can be found here, although this is not a how-to guide, it will give you some of the main concepts.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!