02-22-2013 03:42 AM
Hi,
we have MPLS link between two sites. Right now I want to setup backup link with IPSec tunnel. schema of network connection is as on picture.
please help me to configure Palo Alto device to monitor MPLS link and switch to IPSec tunnel when MPLS link will be down.
Switch on right site has IPSLA ready that check connection to MPLS router and change routing automatically to PA.
Palo Alto has two routing record for the same sub net with different metric and adm distance but it don't swap to IPSec automatically. Please tell me how I should configure PA to support this scenario without my interaction ?
What should I use PBF, redistribution profiles under VR - static, add one VR more, Monitor tunnel?
Thank you for advice!
11-27-2013 04:41 AM
Hello Jakub,
Yes we will have to use PBF to have auto failover if the primary link is failed.
In PBF rule we set the primary link ( in your case it is MPLS path ). PBF rules are given priority over default routes and security rules. If the PBF fails then it would take the default static route to the tunnel for backup path.
Below are some doc suggestions to understand and customize your implementation.
How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover
Dual ISP Branch Office Configuration
Thanks
11-27-2013 02:56 AM
Hi,
I think you should use PBF for this since only by using PBF you can achieve automatic failover. Unless you have a dynamic routing protocol running in your MPLS networks, there is no way that the firewall knows that the route to your MPLS cloud was down.
11-27-2013 04:41 AM
Hello Jakub,
Yes we will have to use PBF to have auto failover if the primary link is failed.
In PBF rule we set the primary link ( in your case it is MPLS path ). PBF rules are given priority over default routes and security rules. If the PBF fails then it would take the default static route to the tunnel for backup path.
Below are some doc suggestions to understand and customize your implementation.
How to Setup a Palo Alto Networks Firewall with Dual ISPs and Automatic VPN Failover
Dual ISP Branch Office Configuration
Thanks
11-27-2013 11:01 AM
Hi,
Fully agree with Phoenix. Just be sure that the juniper on remote site be able to send traffic in VPN too (in case of vpn failure) alse ... it will fail 🙂
Hope help.
v.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
