Hello, good afternoon everyone, thank you very much for your support and help.
I have the following scenario:
A pair of firewalls configured in HA, such as Active Passive, model 5250.
There are currently 2 links to the Internet, the main link, that is, the active one, is used for the main access for all the general output to the Internet, it has its route 0.0.0.0 metric "10" and a second link, used, by means of PBF, for exclusive output to certain IPs of AWS services among other exclusive functions and destination, this second link at the route table level has a route 0.0.0.0 metric "30", although the PBF is used, which overrides the route table, in any case the route is included in the static routes of the virtual router, but having two routes to the same destination, the route with metric 10, that is, the main link is the one that passes from the RIB to the FIB.
Now after the previous background, the detail of the doubt, you want to configure Path Monitoring to be censusing some destinations that are reached exclusively by the secondary link, to validate that in case of any problem, it is processed to make the change in the HA , between the active and passive devices.
Reviewing the documentation, regarding the "Source IP" section using the "Virtual Router Path" option, it says the following: "The source IP address for path groups associated with virtual routers* will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address".
Now from this comes the enormous doubt, I must monitor the path/route of the HA failure conditions settings and I must register some destinations that are reached exclusively by the secondary link to the Internet (that is, by the link with Metric 30, that is, the one that is not installed in the FIB and only in the RIB) but the documentation says that it will use as source the ip of the exit interface in relation to the route, that is where my great doubt is, if said route is not it is installed in the FIB since in the FIB there will only be the metric route 10 and not 30, the destination that I need to census is exclusively through the metric 30 link, which currently the users, servers and LAN networks reach using a PBF, In this case, when I want to take a census, at the level of HA Pathmonitoring settings and validate said destination, I will have some problem being able to take a census, reach it and have it respond to said destination, which for the moment is reached by PBF (It is understood that for the PBF it is not valid the traffic that is originated from Palo Alto, in this case for the monitoring and census of the routes and destination, a PBF cannot be used for this traffic because it is originated from the exit interface of Palo Alto), for the users and that the documentation says that it will validate with the routing table, but in the routing table the route is present, but at the FIB level it only installs the default route, that is, the route 0.0.0.0 with metric 10 and the other is only maintained as a possible route in the RIB, the metric route 30.
I hope you can help me solve my doubts and see how it is possible to make the above scenario work.
Thank you very much, I remain attentive, cordial greetings.
Did I understand your concerns correctly:
- You want to configure path-monitor under HA settings, to failover firewall to secondary member in case of issue with Internet path.
- You have two public lines, second one used only for some specific traffic. You are wondering which Internet line will be used for the path-monitor probes.
- From what I understand you want to monitor the second Internet line, that is used only for specific traffic with PBF.
I would say you are mostly correct with your assumption.
- If firewall have more than one route to the same destination it will in FIB it will install only the one with better metric. If that route fail - egress interface associated with that interface is physically down (disabled or disconnected).
- Path-Monitor is essentially ICMP ping packets sourced from the IP assigned on the egress interface used to reach the configured destination. So in your case if you configure path monitor under HA, it will monitor your primary internet line, rather the one with the PBF.
If you really want to failover when second internet line has issue, one way I can think of is to move the second Internet line to separate virtual-router.
- Creating separate VR allows you to define default static route pointing to the secondary Internet line.
- This will allow you to create path-monitor for that VR and monitor the path over the secondary line.
- You still need to keep the PBF in order to route only specific traffic over that line (or move the sources in separate VLAN that can be attached to second VR and remove PBF all along, but this heavily depends on for what you really use the second internet line).
- You need to create static route with next-vr in second VR for the return traffic to be send back to internal network in primary VR.
Additional benefit of this approach is it will allow you to create two path-monitors for HA - one for each VR. This way you will trigger firewall failover no matter which internet line is affected.
Now if I were you, would consider using each line as backup for the other, before doing a failover:
- If primary Internet line has issue, users will be moved to use the second line in addition to the specific traffic that is already using it with the PBF
- If secondary line is having issue, the specific traffic will be re-routed to use the primary line along with rest of the traffic
- And if both lines are having issue, then firewall will failover to secondary member.
But again this really depends on your constrains/requirements/specifics that you have for your secondary line and the specific traffic over it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!