pa-3020 with 3ISP, how to utilize all ISP Bandwidth effectively

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

pa-3020 with 3ISP, how to utilize all ISP Bandwidth effectively

L1 Bithead

I configured the PA-3020 with 3 ISP as below

1. ISP1-2Mbps DIA

2. ISP2-20Mbps DIA

3. ISP3-200Mbps DSL


I want to configure the PA as below


ISP1 for VPN access

ISP2 for Business applications traffic with QoS (like outlook traffic and etc.)

ISP3 for general browsing


Please suggest.


Thank you

Mohammed Ali




Cyber Elite
Cyber Elite


I would suggest Policy Based Forwarding in this case. However without some kind of dynamic routing protocol for the external interfaces, you might have to use multiple virtual routers.


1VR for the Global Protect VPN


1VR for the browsing and Policy Based Forwarding


However if possible, I would say upgrade the 20M ISP to something higher and route all traffic over it and use the DLS as a failover circuit, just a thought.


Hope this helps.

L7 Applicator

Hi @ali.mathur


To propose a good (/the best solution) I have some additional questions:

  • Business applications: Do you need them to be identifier by App-ID or do you have IP addressranges to use in PBF rules? Here you have to keep in mind that App based PBF only works as soon as the FW has identified the app. So the first packets may be do not get routed the way you want/need
  • VPN: S2S or C2S VPN? If C2S: full or split tunnel configuration? If S2S: external company access or remote locations of your company?

Hi vsys_remo,


Thanks for your reply. please find the below comment.


1. We need to identify the business application.

2. C2S VPN with full tunnel.




Hi @ali.mathur


So lets try to get this done ... but first I need to say, there will be no perfect solution if you have to rely on App-ID for PBF rules. There are always sessions that will not use the connection you want them to use ...


1. VPN access

There I see two options: the first (with one virtual router) is you use a loopback interface for your GP portal/gateway. There you assign a private IP for that loopback interface and a NAT rule that translates incoming packets to the ISP1 IP to the private IP of your loopback interface. In addition you have to create a PBF that somehow will do the same as the NAT rule. This PBF rule has to forwards the VPN traffic to the loopback interface, but the main reason you need this rule is to enable the option "enforce symmetric return" on VPN traffic. This will ensure that reply traffic from your firewall will use ISP1 connection. It is also needed because the default route will point to another ISP connection (actually ISP3).

The second possibility is, as already proposed by @OtakarKlier, use a dedicated virtual router for the external GP interface. This way you won't need the NAT or PBF rule mentionned above because the traffic has only one option (you will only assign ISP1 to this virtual router)

With the swcond option you attach the tunnel interface to the virtual router where you will also have ISP2 and 3



Before we no get to your business traffic you need to make a decision: do you wan't more low priority traffic on ISP2 and make sure that your business applications will use this connection or dou you accept that business traffic sessions also use ISP3 unless PA identifies them as the apps you specified and then new sessions to the same dst ip with the same port and protocol will be routed over to ISP2.

--> As you have a lot more bandwith on ISP3 I would use this one as primary



2. Your business traffic: for this traffic you need to create your app-based PBF rule where you specify all the apps which are business traffic for your company. I would also reccomend that you specify a monitor profile and disable the PBF rule if the specified IP address (next hop at ISP2)


3. All other traffic: to route all other traffic to ISP3 you do not need to create a PBF rule, there you only need to set the default route to ISP3.


This way it should be possible to use all 3 ISP connections. In addition, all traffic coming in from the VPN clients to the internet (if you allow internet access for them) will also use ISP2 for business apps and ISP3 for all other internet connections.


But as mentionned in this post and also in your other topic. App based PBF rules are not recommended. If ever possible use layer 3 or 4 informations to specify what traffic needs to be routed to ISP2. So for example for things like office 365 microsoft publishes IP range lists. The informations from these lists you can use for IP based PBF rules. It may not always be possible to do it like this, but there are probably more services than you think where you will find IP informations on the internet which you can use in more reliable PBF rules.


If you have additional questions, feel free to ask.




  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!