ISP failover in PanOS 7.0.4

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ISP failover in PanOS 7.0.4

L0 Member

Hi, 

 

We are moving from Juniper ScreenOS SSG firewalls to PanOS 7.0.4, 3020 clustered firewalls. 

 

On our Junipers we make use of a feature called track-ip for Interface failover between ISP's...This basically works by pinging a far device on the primary link, and after the PING failure limits being exceeded, the default route changes to that of our secondary ISP link/interface. 

 

I'm not talking about VPN failover here, but default route / link failure/failover.

 

I asked this of Palo Alto support but got the following response:

"The Path Monitoring feature monitors the full path through the network to mission-critical IP addresses to control failover. ICMP pings are used to verify reachability of the IP address. The default behavior is any one of the IP addresses becoming unreachable will cause the device to change the HA state to non-functional to indicate a failure of a monitored object."

 

This to me very much looks like a HA state config, and nothing to do with ISP link failover. 

 

Upon speaking to someone else who is Palo accredited, they suggested using PBF, but I really don't like PBF. They then said that PanOS has a new feature called 'ECMP' and we might be able to make use of that?

 

Can anyone advise of a similar option of the Juniper ScreenOS 'track-ip' on the Palo Alto's?

 

Will ECMP work?

 

Is there and alternative, other than PBF?

 

Thanks, 

 

John

 

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

ECMP (at least in current version) can check only if link is up or down.

It does not send out ping to verify so no path monitoring.

 

PBF can be used in that case.

So if path monitoring can't see destination then firewall will fall back to virtual router where you have configured your secondary ISP.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks foryour swift reply. So when you say link down wity ECMP, I'm assuming that's just the interface reporting as down?

 

If so, can it be configured to failover to the other link on link/interface failure, and what happens when a clustered 3020 is set-up?

 

Thanks again, 

 

John

Hello,

I think what you may be looking for is Policy Based Forwarding with path monitoring.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Dual-ISP-Branch-Office-Configuration/ta-...

 

Its an older document but still holds validity.

 

Cheers!

  • 4661 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!