Global Protect\MPLS redundancy

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
mksherman
L1 Bithead

Global Protect\MPLS redundancy

Currently I have an MPLS connection (Connected to a Palo Alto Firewall) at one of our branch offices in Shanghai. The problem is the MPLS connection (provided by Level3) goes down sometimes.

 

I'd like to setup a Global Satellite connection on the PAN Firewall, with the idea being that if the MPLS goes down, we do not lose our connection to the office.

 

Is it possible to setup the PAN to automatically start using the Global Satellite if the interface that the MPLS is connected to stops responding?

BPry
Cyber Elite

You mean a GlobalProtect LSVPN sattelite or an actual Satellite internet connection? Either one can be done pretty easily but if you lose your MPLS connection would that not mean that the office also losses their internet connection or are you using the MPLS similar to a split-tunnel? 

mksherman
L1 Bithead

I mean a Satellite connection seen here: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-GlobalProtect-Satellite...

 

Our MPLS is a separate circuit from our Internet connection. If we lose our MPLS the office still has an internet connection. What I've been doing as a work around for now is that, if the MPLS goes down I have them connect to a "guest wifi" that is only connected to the internet and use the Global Protect Client to VPN in.

 

Thanks!

glastra1
L4 Transporter

Global protect satellite doesn't provide redundancy. PBF or dynamic routing do.

Since you'll have 2 links: MPLS and VPN, you can simply configure PBF to use your primary link (MPLS) which be failing over to your VPN (static route) in case it fails

 

https://live.paloaltonetworks.com/t5/Management-Articles/Selecting-an-IP-Address-for-PBF-or-Tunnel-M...

 

Regards,

Gerardo.

mksherman
L1 Bithead

Old setup:

Our trust interface (1/3) in Shanghai is setup with a static IP of 10.51.1.1/24 and as layer3.

Connected to the trust interface is a dumb switch and connected to the switch is 10 workstations.

The workstations are getting DHCP from the 1/3 interface which I've enabled on the PAN with the gateway set to 10.51.1.1

There's a static route saying anything on 10.0.0.0/8 go out ethernet 1/2 (our MPLS) with IP 192.168.1.51

*Once the MPLS hits our headquarters there's a static route on our switches that says:

192.168.1.X/29 via our MPLS

 

New setup:

Everything from before will be the same but I want to add a GlobalSattelite connection in case the MPLS next hop goes down. 

 

Setup Question:

If I set up the Satellite connection to share the route for 10.51.1.0/24 will I cause a loop?

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!