This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to prefer 1 ISP for one application

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to prefer 1 ISP for one application

Roby_Sreejith
L4 Transporter

‎08-10-2016 09:33 PM

I got why huge traffic is coming to port 3978.Application is identified as Panorama.
Its hge Gbs of traffic in one session.
The source IP is firewall management Ip and destination is Panorama IP.

But why i need to kill this session means, we have a setup of 2 ISPs. We prefere this traffic should go through 1 ISP only one ISP.

Tht we accomplish through PBF ruless to 1 ISP.we use port in PBF. However there are 2 issues in this:


1) As per PBF session, first few packets will go thorgh normal routing table and wont take PBF. untill the aplication identified. in this case as it is Panorama traffc it is never ending traffic.
So this stayes at 1 ISP only( Not the ISP we define in PBF) . We have to manually kill Session an then next sessio will take 2 nd ISP.

2) another scenarion, lets assume my 1st ISP down, then panorama traffic will take 2nd ISP( non prefereed). But even if 1st ISP came up also, as panorama is never ending session, it will continue on 2 nd ISP untll we clear manually.

Can any one have suggestions on this.

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
0 Likes Likes
2 REPLIES 2

reaper
Cyber Elite
Cyber Elite

‎08-11-2016 04:42 AM

Hi

 

Unfortunately i don't think there's an easy fix as the backend connection to panorama is kept open continuously

You could try setting a static route for a single IP instead of the PBF policy for this specific issue

 

One bit of good new may be that the traffic to panorama should not be that big: when the session ends the today bytecount is added for the complete duration of the single session, which could be weeks to even months of data all added into 1 bytecount. if you do see excessive bandwidth usage, you can opt to tone down log forwarding to only the critical logs

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

rabolfathi
L1 Bithead

‎08-11-2016 10:30 PM

Two suggestions:  First, don't use application as a matching criteria in PBF.  As you indicated, it needs to look at some packets before it determines the application, by which time it's too late.  Instead, just use source & destination.

 

Second, if the fix above works, then your traffic monitoring rule should see that the ISP is down and automatically switch to the second ISP.

0 Likes Likes
  • 1548 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks