- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-14-2016 01:56 PM
Is there a way in Palo alto firewall to do that? is some one already using it?
Example
x.x.x.x (public) ------ Palo Alto (NAT) ----------------172.16.5.5 (primary)
|
172.16.5.6 (backup)
Mike.
09-14-2016 03:11 PM
Hello,
Should like a load balancer would work better. But thinking about it, I wonder if Policy Based Forwarding with a Monitor would work. While I have not tried it in this fashion, I have used it for a multiple ISP failover scenario.
Perhaps someone else has tried it?
Regards,
09-14-2016 04:05 PM - edited 09-14-2016 04:07 PM
I was thinking about PBF option as well but as you stated it is actually for vice versa option as you can only specify one default gateway for the client in the "trust" zone. Just thinking how the client is going to change a DG if one link is failing. No VRRP option available or possible here 🙂 One device so not much what we can do. Thinking about this:
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-LACP/ta-p/65837
But l am not very familiar with this protocol and if it works in Layer 3 with one IP, so cannot comment much
09-15-2016 01:50 AM - edited 09-15-2016 01:53 AM
Hi all,
Depend what you are looking for:
- Use Policy Based Routing: Activ/Passiv or Activ/Activ - and you choose which traffic on which link
- Use Link Layer Distribution Protocol - act like load balancing by defining two route with same weight
https://www.paloaltonetworks.com/documentation/70/pan-os/newfeaturesguide/networking-features/lldp
Hope hep
V.
09-15-2016 04:54 AM
you don't need to set a default gateway for the internal subnets, a simple subnet route will suffice: Policy Based Forwarding bypasses route lookups when it is active for a session
from the perspective of the pbf configuration the public side can be treated as the local network and the 2 routes as the dual-isp
-set a pbf with monitor pointed at the primary link
-set a normal route to the secondary link
09-15-2016 11:04 AM
just confused, do I create two NAT rules from trust to untrust as bidirectional and then apply pbf for a connected subnet?
I'm using lvl3 interfaces
09-16-2016 02:07 PM
since NAT rules are zone based, you can et the external zone to zone1 and the 2 internal interfaces to zone2, that way your NAT rule will always apply, regardless of the internal interface in use
then have pbf route traffic to the primary link if the monitor is up, and a static route be backup for the secondary link if the pbf monitor fails
- During the failover from the primary interface to the backup, existing sessions will fail out due to them being bound to the interfaces, but the new sessions will simply pick up as expected, using the same NAT rule
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!