- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-13-2014 10:41 PM
I'm new in using PaloAlto Firewall. We have to sites that have it's own dedicated ISP connections and I've been task to configure the PAN firewall to route the Internet connections to another ISP if the main internet connections encounter a connectivity problem.
HQ1 RT1-------PAN FW--------Internet RTR------------------ISP1
|
|
| -> Connections between HQ1 and HQ2 is via internal MPLS and they're on different location
|
|
HQ2 RT2-------PAN FW--------Internet RTR------------------ISP2
Is it possible to configure VPN Tunnel between the two PA FW and used PBF?
Any feedback are highly appreciated
Cheers,
Erwin
07-14-2014 07:45 PM
More thoughts:
This could potentially work. With the issue I mentioned on point 1 previously needing to be tested.
Whether this is easier than the MPLS routing solution I'm not in a position to judge. Both seem invovled.
07-14-2014 06:37 AM
Hello Erwin,
Here is the document that explains how to configure PAN for dual ISP failovers:
Dual ISP Branch Office Configuration
In short, you would:
1. Configure a PBF policy on PAN FW in HQ1, to route Internet traffic via ISP1 and enable monitoring in PBF.
2. Configure an IPSEC tunnel between PAN FW1 and PAN FW2
3. Configure a static route in the routing table of PAN FW in HQ1 to route Internet traffic using tunnel as an exiting interface.
Hope that helps!
Thanks and regards,
Kunal Adak
07-14-2014 09:56 AM
Hello ErwinBuena,
Few related doc as mentioned below, it may help you ( configuration steps) in this scenario.
Configuring Policy Based Forwarding (PBF)
Thanks
07-14-2014 02:31 PM
If I understand correctly, you want to use ISP1 from HQ2 if ISP2 fails. And use ISP2 from HQ1 if ISP1 fails.
If that is correct, then you do not need vpn in the mix at all.
You would follow the Dual ISP branch instructions on both PA.
Dual ISP Branch Office Configuration
07-14-2014 04:37 PM
Hi Steven
Configuration would be more complicated if I do the fail over functionality on HQ RTR that will look like this.
Thanks to Kadak and Hulk for your update as well.
Cheers,
Erwin
07-14-2014 06:38 PM
I see the issue where the dualing default routes would cause in my original scenario.
In a vpn between the PA the following would occur. This may not be any simpler than your MPLS fail-over solution.
07-14-2014 07:18 PM
Hi Steven,
See my update below
It’s looks like it’s getting complicated than the original plan that I thought. Do you think it make since to do it this way or I need to look at another solutions.
Your feedback are highly appreciated and help me a lot to think out of the box for the solution that I’m planning.
Cheers,
Erwin
07-14-2014 07:45 PM
More thoughts:
This could potentially work. With the issue I mentioned on point 1 previously needing to be tested.
Whether this is easier than the MPLS routing solution I'm not in a position to judge. Both seem invovled.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!