This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

ISP failover in PanOS 7.0.4

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ISP failover in PanOS 7.0.4

rufusleonard
L0 Member

‎02-05-2016 06:26 AM

Hi, 

 

We are moving from Juniper ScreenOS SSG firewalls to PanOS 7.0.4, 3020 clustered firewalls. 

 

On our Junipers we make use of a feature called track-ip for Interface failover between ISP's...This basically works by pinging a far device on the primary link, and after the PING failure limits being exceeded, the default route changes to that of our secondary ISP link/interface. 

 

I'm not talking about VPN failover here, but default route / link failure/failover.

 

I asked this of Palo Alto support but got the following response:

"The Path Monitoring feature monitors the full path through the network to mission-critical IP addresses to control failover. ICMP pings are used to verify reachability of the IP address. The default behavior is any one of the IP addresses becoming unreachable will cause the device to change the HA state to non-functional to indicate a failure of a monitored object."

 

This to me very much looks like a HA state config, and nothing to do with ISP link failover. 

 

Upon speaking to someone else who is Palo accredited, they suggested using PBF, but I really don't like PBF. They then said that PanOS has a new feature called 'ECMP' and we might be able to make use of that?

 

Can anyone advise of a similar option of the Juniper ScreenOS 'track-ip' on the Palo Alto's?

 

Will ECMP work?

 

Is there and alternative, other than PBF?

 

Thanks, 

 

John

 

 

 

0 Likes Likes
3 REPLIES 3

Raido_Rattameister
Cyber Elite
Cyber Elite

‎02-05-2016 07:18 AM

ECMP (at least in current version) can check only if link is up or down.

It does not send out ping to verify so no path monitoring.

 

PBF can be used in that case.

So if path monitoring can't see destination then firewall will fall back to virtual router where you have configured your secondary ISP.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

rufusleonard
L0 Member
In response to Raido_Rattameister

‎02-05-2016 09:03 AM

Thanks foryour swift reply. So when you say link down wity ECMP, I'm assuming that's just the interface reporting as down?

 

If so, can it be configured to failover to the other link on link/interface failure, and what happens when a clustered 3020 is set-up?

 

Thanks again, 

 

John

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to rufusleonard

‎02-05-2016 03:25 PM

Hello,

I think what you may be looking for is Policy Based Forwarding with path monitoring.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Dual-ISP-Branch-Office-Configuration/ta-...

 

Its an older document but still holds validity.

 

Cheers!

0 Likes Likes
  • 4656 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks