Internal NAT failover

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Internal NAT failover

L2 Linker

Hello all,

I was wondering if a certain scenario is possible through a Palo Alto PA-3020.  Say we have a single ISP with an internal NAT rule pointing to internal server A that is accessible by anyone in the outside world.  If server A ever goes down (or we take it offline), the internal NAT rule will failover to another internal NAT rule pointing to server B.  These two servers are not load balanced nor are they accessed at the same time by the outside world.  The same external IP address will be used to access whichever server is online but again never both at the same time and of course both servers have different internal IP addresses in the same subnet.

I'm thinking this would be accomplished with two NAT rules and one or two PBF rules.  What I am trying to figure out is how the Palo would know to use the other internal NAT rule if server A goes down.  Is something like this possible?

1 accepted solution

Accepted Solutions

L7 Applicator

The functionality you're looking for is commonly found in load balancers.  Even if you can find a way to get this working with PBF+NAT+Monitoring+API+whatever, you'll ultimately be better served by using the right tool for the job. 

View solution in original post

10 REPLIES 10

L5 Sessionator

I only see two options:

  1. If you could manage to have the public IP used by the outside world to reach the servers being dynamicaly learned by the PA-3020 using a routing protocol (i.e. RIP) from the servers, then you could put each server in a different security zone and use two destination NAT rules. But I guess the public IP you're using will have to be directly attached to the ISP facing interface, blocking this option.
  2. To implement an external monitor that signals a configuration change using the PANOS Config API when any server becomes unreachable.

There is the PBF+PathMonitoring alternative to routing protocols for option 1. But you still need the Public IP not to be directly connected to any PA-3020 interface.

L5 Sessionator

ClintL You can look into clustering service on windows as an option.

L7 Applicator

Hello Clint,

I think we can achieve this through a  PBF policy. We can configure a PBF policy for Primary Server with a monitor profile, pointing towards Primary servers IP address ( Since PBF will take precedence over routing)  and the backup server will be reachable through normal routing.

Once PBF will fail ( monitor IP not reachable), the traffic will start flowing through routing toward backup server.

Thanks

L5 Sessionator

But the issue is you'll have only one destination NAT rule to be matched no matter which server is the active one. That's why I suggest methods in "option 1" to have two routes to the Public IP (via Routing Protocols or PBF) with the goal of having a destination zone change that would allow us to match two different destination NAT rules

L2 Linker

Hi ClintL,

Since the requirement is  to use only One public IP, (as far as I know) from configuration perspective on the PA 3020, I don't think this can be achieved unless you use different destination ports to identify the internal servers A and B that share the same public IP, say 1.1.1.1. In that case, the external hosts need to know that if server A is unreachable over the socket 1.1.1.1:xx, then use server B's socket 1.1.1.1:yy.

As of now, fail-over or redundant NAT rules cannot be configured (meaning you cannot have two D-NAT rules pointing to the same public IP with different internal destination IP transalations unless you want to use destinaion IP and port translation)

Also, refer Understanding PAN-OS NAT

Thanks

Gayathri

L7 Applicator

The functionality you're looking for is commonly found in load balancers.  Even if you can find a way to get this working with PBF+NAT+Monitoring+API+whatever, you'll ultimately be better served by using the right tool for the job. 

I appreciate the responses, guys.  Yeah this was one of those "figure out how the Palo can do this" by the higher ups but like it was mentioned the Palo isn't the best solution.  Thanks again and have a great weekend.

If budget is the problem there is a basic open source load balancer in the Zen project on source forge.

Zen Load Balancer | SourceForge.net

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Clintl,

You can also opt for F5, its one of the best load balancer in industry. A10 load balancere is cheaper one.

Regards,

Hardik Shah

  • 1 accepted solution
  • 6124 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!