NAT public IP to two private IP as failover

Showing results for 
Show  only  | Search instead for 
Did you mean: 

NAT public IP to two private IP as failover

L2 Linker

Is there a way in Palo alto firewall to do that? is some one already using it?





x.x.x.x (public) ------ Palo Alto (NAT) ---------------- (primary)







Cyber Elite
Cyber Elite


Should like a load balancer would work better. But thinking about it, I wonder if Policy Based Forwarding with a Monitor would work. While I have not tried it in this fashion, I have used it for a multiple ISP failover scenario.


Perhaps someone else has tried it?



I was thinking about PBF option as well but as you stated it is actually for vice versa option as you can only specify one  default gateway for the client in the "trust" zone. Just thinking how the client is going to change a DG if one link is failing. No VRRP option available or possible here 🙂 One device so not much what we can do. Thinking about this:


But l am not very familiar with this protocol and if it works in Layer 3 with one IP, so cannot comment much

Hi all,


Depend what you are looking for:

   - Use Policy Based Routing: Activ/Passiv or Activ/Activ - and you choose which traffic on which link

   - Use Link Layer Distribution Protocol  - act like load balancing by defining two route with same weight


Hope hep




you don't need to set a default gateway for the internal subnets, a simple subnet route will suffice: Policy Based Forwarding bypasses route lookups when it is active for a session


from the perspective of the pbf configuration the public side can be treated as the local network and the 2 routes as the dual-isp

-set a pbf with monitor pointed at the primary link

-set a normal route to the secondary link

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy

L2 Linker

just confused, do I create two NAT rules from trust to untrust as bidirectional and then apply pbf for a connected subnet?


I'm using lvl3 interfaces 

since NAT rules are zone based, you can et the external zone to zone1 and the 2 internal interfaces to zone2, that way your NAT rule will always apply, regardless of the internal interface in use

then have pbf route traffic to the primary link if the monitor is up, and a static route be backup for the secondary link if the pbf monitor fails


- During the failover from the primary interface to the backup, existing sessions will fail out due to them being bound to the interfaces, but the new sessions will simply pick up as expected, using the same NAT rule

Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!