ISP redundancy issues

Reply
Highlighted
Not applicable

ISP redundancy issues

Hello and thanks in advance for any help.

I have a PAN 500 that has been doing great. We added a second ISP and used the "PANOS 3.1 ISP REDUNDANCY using Policy Based Forwarding" to setup teh second ISP and this works well (servers go out the 'routed route' and the users use the Policy based forwarded path.

Now, we are getting closer to dropping one of the original ISPs and I have the replacement (a third ISP) connected up to the P500. Its set in the external zone and there was already (obviously) a internal to external rule to allow users out.

Additional setup info: we have several VLANs, handled by our Core switch (a Juniper 4200). We have a site-2-site VPN to another location. One VLAN is plugged directly into the FW as it handles PCI data and we wanted to limit access.

I tried to add it as a third ISP, by adding a second policy based forwarding rule. When I did this, we lost connection with our S2S VPN and the PCI VLAN. I reverted to a previous save and all went back to working. I tried it again later, with great care, and got the same results. So I tried disabling the rules and setup for the current Policy Based connected ISP, then I cloned them, modified for the new ISP and enabled them. Same result. Revret to save and try again. This time I just modified the rules for the policy based connected ISP to use the new ISP info (interface, default gw, etc) and when I committed, I got the same result: no contact with our S2S and loss of contact with our PCI VLAN.

I'm now back to the 'original' config.

Anyone have any ideas what I am doing wrong?

L2 Linker

The post is a little old, but for future folks...

Add a PBF rule, preferably at the top, to do a 'no-pbf' on your Peer networks as the destination.  PBF takes presedence over routes.

Destination - 'remote network' = 'no-pbf'

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!