multiple ISPs for GlobalProtect

Reply
Highlighted
L3 Networker

multiple ISPs for GlobalProtect

Hello

 

I have read "How to Configure Dual ISP Network with GlobalProtect VPN using a Virtual Router and Policy-Based Forwarding" (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJeCAK) since we had exactly the same challenge a few days ago. I solved it using a second virtual router.

If I follow the setup as shown in the HowTo, which ISP is chosen for an reply packet coming in via ISP2?

The users PC (to be more precise the GP software) is connecting to the firewalls IP of ISP2, traffic coming in via line of ISP2. Due to having only one default route, I expect that the reply to the PC is sent back via ISP1.

Highlighted
L2 Linker

Hello,

 

Can you be more specific on you statement: "If I follow the setup as shown in the HowTo" ?

 

If I understood this right, you have setup the similar. infrastructure outlined in the document you've shared with 2 ISP's. If you exactly followed the document, how and why did you configure a second VR? Did you have it for any other purpose?

 

If you have exactly followed the document, then having 2 ISP's on the same VR and having your GP Gateway on your firewall will work as below:

 

ISP 1 for your LAN traffic - No confusion here.

 

Your GP gateway on ISP2 - No confusion here.

 

The whole purpose of having a PBR and NAT for ISP2 in place for your GP traffic is that: any destination other than RFC1918 takes the ISP2 path. For RFC1918, you will anyway have the static route to your tunnel gateway, so any session to/from end user to RFC1918 will take the tunnel path.

 

Hope this makes sense.

 

Thank you.

Highlighted
L3 Networker

Hello @ALLADASAINITIN 

I configured my setup before I stumbled over the howto. Trying to verify if I did it correct, I read the howto.

The question is: which path is a reply from the gateway IP (ISP 2) taking when sending a reply to the users PC (sent by GlobalProtect) on the Internet? My concern is the "tunnel" traffic between client and VPN gateway.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!