I was wondering if a certain scenario is possible through a Palo Alto PA-3020. Say we have a single ISP with an internal NAT rule pointing to internal server A that is accessible by anyone in the outside world. If server A ever goes down (or we take it offline), the internal NAT rule will failover to another internal NAT rule pointing to server B. These two servers are not load balanced nor are they accessed at the same time by the outside world. The same external IP address will be used to access whichever server is online but again never both at the same time and of course both servers have different internal IP addresses in the same subnet.
I'm thinking this would be accomplished with two NAT rules and one or two PBF rules. What I am trying to figure out is how the Palo would know to use the other internal NAT rule if server A goes down. Is something like this possible?
Solved! Go to Solution.
I only see two options:
I think we can achieve this through a PBF policy. We can configure a PBF policy for Primary Server with a monitor profile, pointing towards Primary servers IP address ( Since PBF will take precedence over routing) and the backup server will be reachable through normal routing.
Once PBF will fail ( monitor IP not reachable), the traffic will start flowing through routing toward backup server.
But the issue is you'll have only one destination NAT rule to be matched no matter which server is the active one. That's why I suggest methods in "option 1" to have two routes to the Public IP (via Routing Protocols or PBF) with the goal of having a destination zone change that would allow us to match two different destination NAT rules
Since the requirement is to use only One public IP, (as far as I know) from configuration perspective on the PA 3020, I don't think this can be achieved unless you use different destination ports to identify the internal servers A and B that share the same public IP, say 22.214.171.124. In that case, the external hosts need to know that if server A is unreachable over the socket 126.96.36.199:xx, then use server B's socket 188.8.131.52:yy.
As of now, fail-over or redundant NAT rules cannot be configured (meaning you cannot have two D-NAT rules pointing to the same public IP with different internal destination IP transalations unless you want to use destinaion IP and port translation)
Also, refer Understanding PAN-OS NAT
I appreciate the responses, guys. Yeah this was one of those "figure out how the Palo can do this" by the higher ups but like it was mentioned the Palo isn't the best solution. Thanks again and have a great weekend.
If budget is the problem there is a basic open source load balancer in the Zen project on source forge.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!